[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"similar-trailofbits--claude-code-config":3,"tool-trailofbits--claude-code-config":64},[4,18,26,39,47,56],{"id":5,"name":6,"github_repo":7,"description_zh":8,"stars":9,"difficulty_score":10,"last_commit_at":11,"category_tags":12,"status":17},6121,"gemini-cli","google-gemini\u002Fgemini-cli","gemini-cli 是一款由谷歌推出的开源 AI 命令行工具，它将强大的 Gemini 大模型能力直接集成到用户的终端环境中。对于习惯在命令行工作的开发者而言，它提供了一条从输入提示词到获取模型响应的最短路径，无需切换窗口即可享受智能辅助。\n\n这款工具主要解决了开发过程中频繁上下文切换的痛点，让用户能在熟悉的终端界面内直接完成代码理解、生成、调试以及自动化运维任务。无论是查询大型代码库、根据草图生成应用，还是执行复杂的 Git 操作，gemini-cli 都能通过自然语言指令高效处理。\n\n它特别适合广大软件工程师、DevOps 人员及技术研究人员使用。其核心亮点包括支持高达 100 万 token 的超长上下文窗口，具备出色的逻辑推理能力；内置 Google 搜索、文件操作及 Shell 命令执行等实用工具；更独特的是，它支持 MCP（模型上下文协议），允许用户灵活扩展自定义集成，连接如图像生成等外部能力。此外，个人谷歌账号即可享受免费的额度支持，且项目基于 Apache 2.0 协议完全开源，是提升终端工作效率的理想助手。",100752,2,"2026-04-10T01:20:03",[13,14,15,16],"插件","Agent","图像","开发框架","ready",{"id":19,"name":20,"github_repo":21,"description_zh":22,"stars":23,"difficulty_score":10,"last_commit_at":24,"category_tags":25,"status":17},4721,"markitdown","microsoft\u002Fmarkitdown","MarkItDown 是一款由微软 AutoGen 团队打造的轻量级 Python 工具，专为将各类文件高效转换为 Markdown 格式而设计。它支持 PDF、Word、Excel、PPT、图片（含 OCR）、音频（含语音转录）、HTML 乃至 YouTube 链接等多种格式的解析，能够精准提取文档中的标题、列表、表格和链接等关键结构信息。\n\n在人工智能应用日益普及的今天，大语言模型（LLM）虽擅长处理文本，却难以直接读取复杂的二进制办公文档。MarkItDown 恰好解决了这一痛点，它将非结构化或半结构化的文件转化为模型“原生理解”且 Token 效率极高的 Markdown 格式，成为连接本地文件与 AI 分析 pipeline 的理想桥梁。此外，它还提供了 MCP（模型上下文协议）服务器，可无缝集成到 Claude Desktop 等 LLM 应用中。\n\n这款工具特别适合开发者、数据科学家及 AI 研究人员使用，尤其是那些需要构建文档检索增强生成（RAG）系统、进行批量文本分析或希望让 AI 助手直接“阅读”本地文件的用户。虽然生成的内容也具备一定可读性，但其核心优势在于为机器",93400,"2026-04-06T19:52:38",[13,16],{"id":27,"name":28,"github_repo":29,"description_zh":30,"stars":31,"difficulty_score":10,"last_commit_at":32,"category_tags":33,"status":17},2268,"ML-For-Beginners","microsoft\u002FML-For-Beginners","ML-For-Beginners 是由微软推出的一套系统化机器学习入门课程，旨在帮助零基础用户轻松掌握经典机器学习知识。这套课程将学习路径规划为 12 周，包含 26 节精炼课程和 52 道配套测验，内容涵盖从基础概念到实际应用的完整流程，有效解决了初学者面对庞大知识体系时无从下手、缺乏结构化指导的痛点。\n\n无论是希望转型的开发者、需要补充算法背景的研究人员，还是对人工智能充满好奇的普通爱好者，都能从中受益。课程不仅提供了清晰的理论讲解，还强调动手实践，让用户在循序渐进中建立扎实的技能基础。其独特的亮点在于强大的多语言支持，通过自动化机制提供了包括简体中文在内的 50 多种语言版本，极大地降低了全球不同背景用户的学习门槛。此外，项目采用开源协作模式，社区活跃且内容持续更新，确保学习者能获取前沿且准确的技术资讯。如果你正寻找一条清晰、友好且专业的机器学习入门之路，ML-For-Beginners 将是理想的起点。",85092,"2026-04-10T11:13:16",[15,34,35,13,14,36,37,16,38],"数据工具","视频","其他","语言模型","音频",{"id":40,"name":41,"github_repo":42,"description_zh":43,"stars":44,"difficulty_score":10,"last_commit_at":45,"category_tags":46,"status":17},6520,"openai-cookbook","openai\u002Fopenai-cookbook","openai-cookbook 是 OpenAI 官方提供的一套实用代码示例与指南合集，旨在帮助开发者快速上手并掌握 OpenAI API 的核心用法。面对大模型应用中常见的提示词工程、函数调用、数据嵌入及复杂任务编排等挑战，新手往往难以找到标准化的实现路径。openai-cookbook 通过提供经过验证的代码片段和详细教程，有效解决了“如何从零开始构建应用”以及“如何最佳实践特定功能”的痛点。\n\n这套资源主要面向软件开发者和 AI 技术研究人员，同时也适合希望深入理解大模型能力的技术爱好者。虽然示例代码主要以 Python 编写，但其背后的设计思路和技术逻辑具有通用性，可轻松迁移至其他编程语言。其独特亮点在于内容紧跟官方最新特性更新，覆盖了从基础文本生成到高级代理（Agent）构建的全场景需求，且所有示例均支持在本地环境直接运行调试。作为开源项目，它采用宽松的 MIT 许可证，鼓励社区贡献与二次开发，是学习大模型应用开发不可或缺的实战手册。",72659,"2026-04-10T21:55:21",[37,13],{"id":48,"name":49,"github_repo":50,"description_zh":51,"stars":52,"difficulty_score":53,"last_commit_at":54,"category_tags":55,"status":17},2181,"OpenHands","OpenHands\u002FOpenHands","OpenHands 是一个专注于 AI 驱动开发的开源平台，旨在让智能体（Agent）像人类开发者一样理解、编写和调试代码。它解决了传统编程中重复性劳动多、环境配置复杂以及人机协作效率低等痛点，通过自动化流程显著提升开发速度。\n\n无论是希望提升编码效率的软件工程师、探索智能体技术的研究人员，还是需要快速原型验证的技术团队，都能从中受益。OpenHands 提供了灵活多样的使用方式：既可以通过命令行（CLI）或本地图形界面在个人电脑上轻松上手，体验类似 Devin 的流畅交互；也能利用其强大的 Python SDK 自定义智能体逻辑，甚至在云端大规模部署上千个智能体并行工作。\n\n其核心技术亮点在于模块化的软件智能体 SDK，这不仅构成了平台的引擎，还支持高度可组合的开发模式。此外，OpenHands 在 SWE-bench 基准测试中取得了 77.6% 的优异成绩，证明了其解决真实世界软件工程问题的能力。平台还具备完善的企业级功能，支持与 Slack、Jira 等工具集成，并提供细粒度的权限管理，适合从个人开发者到大型企业的各类用户场景。",71029,3,"2026-04-11T22:49:21",[37,14,16,13],{"id":57,"name":58,"github_repo":59,"description_zh":60,"stars":61,"difficulty_score":10,"last_commit_at":62,"category_tags":63,"status":17},51,"gstack","garrytan\u002Fgstack","gstack 是 Y Combinator CEO Garry Tan 亲自开源的一套 AI 工程化配置，旨在将 Claude Code 升级为你的虚拟工程团队。面对单人开发难以兼顾产品战略、架构设计、代码审查及质量测试的挑战，gstack 提供了一套标准化解决方案，帮助开发者实现堪比二十人团队的高效产出。\n\n这套配置特别适合希望提升交付效率的创始人、技术负责人，以及初次尝试 Claude Code 的开发者。gstack 的核心亮点在于内置了 15 个具有明确职责的 AI 角色工具，涵盖 CEO、设计师、工程经理、QA 等职能。用户只需通过简单的斜杠命令（如 `\u002Freview` 进行代码审查、`\u002Fqa` 执行测试、`\u002Fplan-ceo-review` 规划功能），即可自动化处理从需求分析到部署上线的全链路任务。\n\n所有操作基于 Markdown 和斜杠命令，无需复杂配置，完全免费且遵循 MIT 协议。gstack 不仅是一套工具集，更是一种现代化的软件工厂实践，让单人开发者也能拥有严谨的工程流程。",69865,"2026-04-11T23:04:24",[14,13],{"id":65,"github_repo":66,"name":67,"description_en":68,"description_zh":69,"ai_summary_zh":69,"readme_en":70,"readme_zh":71,"quickstart_zh":72,"use_case_zh":73,"hero_image_url":74,"owner_login":75,"owner_name":76,"owner_avatar_url":77,"owner_bio":78,"owner_company":79,"owner_location":79,"owner_email":80,"owner_twitter":75,"owner_website":81,"owner_url":82,"languages":83,"stars":88,"forks":89,"last_commit_at":90,"license":79,"difficulty_score":91,"env_os":92,"env_gpu":93,"env_ram":94,"env_deps":95,"category_tags":109,"github_topics":110,"view_count":10,"oss_zip_url":79,"oss_zip_packed_at":79,"status":17,"created_at":115,"updated_at":116,"faqs":117,"releases":118},6715,"trailofbits\u002Fclaude-code-config","claude-code-config","Opinionated defaults, documentation, and workflows for Claude Code at Trail of Bits","claude-code-config 是网络安全公司 Trail of Bits 开源的一套 Claude Code 配置指南与最佳实践集合。它并非单一软件，而是一套经过实战验证的“意见性”默认设置、文档和工作流，旨在帮助用户在安全审计、软件开发及科研场景中更高效、安全地使用 Claude Code。\n\n这套配置解决了大模型辅助编程中常见的环境搭建繁琐、沙箱权限管理复杂以及缺乏标准化操作流程等痛点。通过一键脚本，它能自动检测并安装所需组件，统一了从终端选择到插件集成的开发环境，显著降低了配置门槛。\n\n该工具特别适合对代码质量和安全性有高标准要求的开发者、安全研究人员及技术团队。其独特亮点在于深度整合了 Ghostty 终端以优化长会话性能，预置了包括 Ruff、Ast-grep 在内的多种核心静态分析工具，并提供了关于沙箱隔离、MCP 服务器集成及自定义技能（Skills）编写的详细指导。此外，它还收录了多位行业专家关于 AI 辅助编程的深度思考文章，帮助用户建立正确的使用心智模型，让 AI 真正成为提升工程效率的可靠伙伴。","# Trail of Bits Claude Code Config\n\nOpinionated defaults, documentation, and workflows for Claude Code at Trail of Bits. Covers sandboxing, permissions, hooks, skills, MCP servers, and usage patterns we've found effective across security audits, development, and research.\n\n> Also see: [skills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills) · [skills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) · [claude-code-devcontainer](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-devcontainer) · [dropkit](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fdropkit)\n\n**First-time setup:**\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-config.git\ncd claude-code-config\nclaude\n```\n\nThen inside the session, run `\u002Ftrailofbits:config`. It walks you through installing each component, detects what you already have, and self-installs the command so future runs work from any directory. Run `\u002Ftrailofbits:config` again after updates.\n\n## Contents\n\n**[Getting Started](#getting-started)**\n- [Read These First](#read-these-first)\n- [Prerequisites](#prerequisites)\n- [Shell Setup](#shell-setup)\n- [Settings](#settings)\n- [Global CLAUDE.md](#global-claudemd)\n\n**[Configuration](#configuration)**\n- [Sandboxing](#sandboxing)\n- [Hooks](#hooks)\n- [Plugins and Skills](#plugins-and-skills)\n- [MCP Servers](#mcp-servers)\n- [Local Models](#local-models)\n- [Personalization](#personalization)\n\n**[Usage](#usage)**\n- [Continuous Improvement](#continuous-improvement)\n- [Project-level CLAUDE.md](#project-level-claudemd)\n- [Context Management](#context-management)\n- [Web Browsing](#web-browsing)\n- [Fast Mode](#fast-mode)\n- [Commands](#commands)\n- [Writing Skills and Agents](#writing-skills-and-agents)\n- [Recommended Skills](#recommended-skills)\n- [Recommended MCP Servers](#recommended-mcp-servers)\n\n## Getting Started\n\n### Read These First\n\nBefore configuring anything, read these to understand the context for why this setup works the way it does:\n\n- [Best practices for Claude Code](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fbest-practices) -- Anthropic's official guide to working effectively with Claude Code\n- [Here's how I use LLMs to help me write code](https:\u002F\u002Fsimonwillison.net\u002F2025\u002FMar\u002F11\u002Fusing-llms-for-code\u002F) -- Simon Willison on practical LLM-assisted coding techniques\n- [AI-assisted coding for teams that can't get away with vibes](https:\u002F\u002Fblog.nilenso.com\u002Fblog\u002F2025\u002F05\u002F29\u002Fai-assisted-coding\u002F) -- Nilenso's playbook for teams integrating AI tools with high standards\n- [My AI Skeptic Friends Are All Nuts](https:\u002F\u002Ffly.io\u002Fblog\u002Fyoure-all-nuts\u002F) -- Thomas Ptacek on why dismissing LLMs for coding is a mistake\n- [Harness engineering](https:\u002F\u002Fopenai.com\u002Findex\u002Fharness-engineering\u002F) -- OpenAI on building a product with zero manually-written code\n\n### Prerequisites\n\n#### Terminal: Ghostty\n\nUse [Ghostty](https:\u002F\u002Fghostty.org). It's the best terminal for Claude Code because it uses native Metal GPU rendering, so it handles the high-volume text output from long AI sessions without lag or memory bloat (~500MB vs ~8GB for two VS Code terminal sessions). Shift+Enter and key bindings work out of the box with no `\u002Fterminal-setup` needed, built-in split panes (Cmd+D \u002F Cmd+Shift+D) let you run Claude Code alongside a dev server without tmux, and it never crashes during extended autonomous runs.\n\n```bash\nbrew install --cask ghostty\n```\n\nmacOS only. On Linux, see the [Ghostty install docs](https:\u002F\u002Fghostty.org\u002Fdocs\u002Finstall\u002Fbinary#linux-(official)). No Windows support yet -- use WezTerm there.\n\n#### Tools\n\nInstall core tools via Homebrew:\n\n```bash\nbrew install jq ripgrep fd ast-grep shellcheck shfmt \\\n  actionlint zizmor macos-trash node@22 pnpm uv\n```\n\nPython tools (via uv):\n\n```bash\nuv tool install ruff\nuv tool install ty\nuv tool install pip-audit\n```\n\nRust toolchain:\n\n```bash\ncurl --proto '=https' --tlsv1.2 -sSf https:\u002F\u002Fsh.rustup.rs | sh\ncargo install prek worktrunk cargo-deny cargo-careful\n```\n\nNode tools:\n\n```bash\nnpm install -g oxlint agent-browser\n```\n\nLM Studio (for [local models](#local-models)):\n\n```bash\ncurl -fsSL https:\u002F\u002Flmstudio.ai\u002Finstall.sh | bash\n```\n\nThis installs `lms` (the CLI) and `llmster` (the headless daemon). Or install the [LM Studio desktop app](https:\u002F\u002Flmstudio.ai\u002Fdownload) if you prefer a GUI.\n\n### Shell Setup\n\nAdd to `~\u002F.zshrc`:\n\n```bash\nalias claude-yolo=\"claude --dangerously-skip-permissions\"\n```\n\n`--dangerously-skip-permissions` bypasses all permission prompts. This is the recommended way to run Claude Code for maximum throughput -- pair it with sandboxing (below).\n\nIf you're using [local models](#local-models), also add:\n\n```bash\nclaude-local() {\n  ANTHROPIC_BASE_URL=http:\u002F\u002Flocalhost:1234 \\\n  ANTHROPIC_AUTH_TOKEN=lmstudio \\\n  CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 \\\n  claude --model qwen\u002Fqwen3-coder-next \"$@\"\n}\n```\n\n`claude-local` wraps `claude` with the local server env vars and disables telemetry pings that won't reach Anthropic anyway. Use it anywhere you'd normally run `claude`.\n\n### Settings\n\nCopy `settings.json` to `~\u002F.claude\u002Fsettings.json` (or merge entries into your existing file). The `$schema` key enables autocomplete and validation in editors that support JSON Schema. The template includes:\n\n- **`env` (privacy)** -- disables three non-essential outbound streams: Statsig telemetry (`DISABLE_TELEMETRY`), Sentry error reporting (`DISABLE_ERROR_REPORTING`), and feedback surveys (`CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY`). Avoid the umbrella `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC` -- it also disables auto-updates.\n- **`env` (agent teams)** -- `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS` enables [multi-agent teams](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fagent-teams) where one session coordinates multiple teammates with independent context windows. Experimental -- known limitations around session resumption and task coordination.\n- **`enableAllProjectMcpServers: false`** -- this is the default, set explicitly so it doesn't get flipped by accident. Project `.mcp.json` files live in git, so a compromised repo could ship malicious MCP servers.\n- **`alwaysThinkingEnabled: true`** -- persists [extended thinking](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fcommon-workflows#use-extended-thinking-thinking-mode) across sessions. Toggle per-session with `Option+T`. Adds latency and cost on simple tasks; worth it for complex reasoning.\n- **`permissions`** -- deny rules that block reading credentials\u002Fsecrets and editing shell config (see [Sandboxing](#sandboxing))\n- **`cleanupPeriodDays: 365`** -- keeps conversation history for a year instead of the default 30 days, so `\u002Finsights` has more data\n- **`hooks`** -- two `PreToolUse` hooks on Bash that block `rm -rf` and direct push to main (see [Hooks](#hooks))\n- **`statusLine`** -- points to the statusline script (see below)\n\n#### Statusline\n\nA two-line status bar at the bottom of the terminal:\n\n```\n [Opus 4.6] 📁 claude-code-config │ 🌿 main\n ████⣿⣿⣿⣿⣿⣿⣿⣿ 28% │ $0.83 │ ⏱ 12m 34s ↻89%\n```\n\nLine 1 shows the model, current folder, and git branch. Line 2 shows a visual context usage bar (color-coded: green \u003C50%, yellow 50-79%, red 80%+), session cost, elapsed time, and prompt cache hit rate.\n\nCopy the script:\n\n```bash\nmkdir -p ~\u002F.claude\ncp scripts\u002Fstatusline.sh ~\u002F.claude\u002Fstatusline.sh\nchmod +x ~\u002F.claude\u002Fstatusline.sh\n```\n\nThe `statusLine` entry in `settings.json` points to this script. Requires `jq`.\n\n### Global CLAUDE.md\n\nThe global `CLAUDE.md` file at `~\u002F.claude\u002FCLAUDE.md` sets default instructions for every Claude Code session. It covers development philosophy (no speculative features, no premature abstraction, replace don't deprecate), code quality hard limits (function length, complexity, line width), language-specific toolchains for Python (`uv`, `ruff`, `ty`), Node\u002FTypeScript (`oxlint`, `vitest`), Rust (`clippy`, `cargo deny`), Bash, and GitHub Actions, plus testing methodology, code review order, and workflow conventions (commits, hooks, PRs).\n\nCopy the template into place:\n\n```bash\ncp claude-md-template.md ~\u002F.claude\u002FCLAUDE.md\n```\n\nReview and customize it for your own preferences. The template is opinionated -- adjust the language sections, tool choices, and hard limits to match your stack. For background on how CLAUDE.md files work (hierarchy, auto memory, modular rules, imports), see [Manage Claude's memory](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fmemory).\n\n## Configuration\n\n### Sandboxing\n\nAt Trail of Bits we run Claude Code in bypass-permissions mode (`--dangerously-skip-permissions`). This means you need to understand your sandboxing options -- the agent will execute commands without asking, so the sandbox is what keeps it from doing damage.\n\n#### Built-in sandbox (`\u002Fsandbox`)\n\nClaude Code has a native sandbox that provides filesystem and network isolation using OS-level primitives (Seatbelt on macOS, bubblewrap on Linux). Enable it by typing `\u002Fsandbox` in a session. In auto-allow mode, Bash commands that stay within sandbox boundaries run without permission prompts.\n\n**Default behavior:** Writes are restricted to the current working directory and its subdirectories. Reads are unrestricted -- the agent can still read `~\u002F.ssh`, `~\u002F.aws`, etc. Network access is limited to explicitly allowed domains.\n\n**Hardening reads:** The `settings.json` template includes `Read` and `Edit` deny rules that block access to credentials and secrets:\n\n- **SSH\u002FGPG keys** -- `~\u002F.ssh\u002F**`, `~\u002F.gnupg\u002F**`\n- **Cloud credentials** -- `~\u002F.aws\u002F**`, `~\u002F.azure\u002F**`, `~\u002F.kube\u002F**`, `~\u002F.docker\u002Fconfig.json`\n- **Package registry tokens** -- `~\u002F.npmrc`, `~\u002F.npm\u002F**`, `~\u002F.pypirc`, `~\u002F.gem\u002Fcredentials`\n- **Git credentials** -- `~\u002F.git-credentials`, `~\u002F.config\u002Fgh\u002F**`\n- **Shell config** -- `~\u002F.bashrc`, `~\u002F.zshrc` (edit denied, prevents backdoor planting)\n- **macOS keychain** -- `~\u002FLibrary\u002FKeychains\u002F**`\n- **Crypto wallets** -- metamask, electrum, exodus, phantom, solflare app data\n\nWithout `\u002Fsandbox`, deny rules only block Claude's built-in tools -- Bash commands bypass them. With `\u002Fsandbox` enabled, the same rules are enforced at the OS level (Seatbelt\u002Fbubblewrap), so Bash commands are also blocked. Use both.\n\nFor the design rationale behind sandboxing, see Anthropic's [engineering blog post](https:\u002F\u002Fwww.anthropic.com\u002Fengineering\u002Fclaude-code-sandboxing). For the full configuration reference, see the [sandboxing docs](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fsandboxing).\n\n#### Devcontainer\n\nFor full read and write isolation, use a devcontainer. The agent runs in a container with only the project files mounted -- it has no access to your host filesystem, SSH keys, cloud credentials, or anything else outside the container.\n\n- [trailofbits\u002Fclaude-code-devcontainer](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-devcontainer) -- preconfigured devcontainer with VS Code integration, Claude Code pre-installed, and common development tools\n\n#### Remote droplets\n\nFor complete isolation from your local machine, run the agent on a disposable cloud instance:\n\n- [trailofbits\u002Fdropkit](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fdropkit) -- CLI tool for managing DigitalOcean droplets with automated setup, SSH config, and Tailscale VPN. Create a droplet, SSH in, run Claude Code, destroy it when done.\n\n### Hooks\n\nHooks are shell commands (or LLM prompts) that fire at specific points in Claude Code's lifecycle. They are a way to talk to the LLM at decision points it wouldn't otherwise pause at. Every `PreToolUse` hook is a chance to say \"stop, think about this\" or \"don't do that, do this instead.\" Every `PostToolUse` hook is a chance to say \"now that you did that, here's what you should know.\" Every `Stop` hook is a chance to say \"you're not done yet.\"\n\nThis is more powerful than system prompt instructions alone because hooks fire at specific, contextual moments. An instruction in your CLAUDE.md saying \"never use `rm -rf`\" can be forgotten or overridden by context pressure. A `PreToolUse` hook that blocks `rm -rf` fires every single time, with the error message right at the point of decision.\n\nHooks are not a security boundary -- a prompt injection can work around them. They are **structured prompt injection at opportune times**: intercepting tool calls, injecting context, blocking known-bad patterns, and steering agent behavior. Guardrails, not walls.\n\nIn practice, use them to:\n- **Block known-bad patterns** -- `rm -rf`, push to main, wrong package manager\n- **Add your own logging** -- audit trails, bash command logs, mutation tracking\n- **Nudge Claude to keep going** -- a `Stop` hook can review Claude's final response and force it to continue if it's rationalizing incomplete work\n- **Inject context at decision points** -- post-write lint results, pre-tool security warnings\n\nGuide and examples: [Automate workflows with hooks](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fhooks-guide)\n\nDon't want to write hooks by hand? The [hookify plugin](https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-plugins-official\u002Ftree\u002Fmain\u002Fplugins\u002Fhookify) generates them from plain English -- `\u002Fhookify Warn me when I use rm -rf commands`.\n\n#### Hook events\n\n| Event | When it fires | Can block? |\n|-------|---------------|------------|\n| `PreToolUse` | Before a tool call executes | Yes |\n| `PostToolUse` | After a tool call succeeds | No (already ran) |\n| `UserPromptSubmit` | When user submits a prompt | Yes |\n| `Stop` | When Claude finishes responding | Yes (forces continue) |\n| `SessionStart` | When a session begins\u002Fresumes | No |\n| `SubagentStart`\u002F`Stop` | When a subagent spawns\u002Ffinishes | Start: no, Stop: yes |\n| `TaskCompleted` | When a task is marked complete | Yes |\n| `TeammateIdle` | When a teammate is about to idle | Yes |\n\n#### Exit codes\n\n| Exit code | Behavior |\n|-----------|----------|\n| 0 | Action allowed (stdout parsed for JSON control) |\n| 1 | Error, non-blocking (stderr shown in verbose mode) |\n| 2 | Blocking error (stderr fed back to Claude as error message) |\n\n#### Examples\n\n> **These are patterns to adapt, not drop-in configs.** Only the two blocking hooks in `settings.json` are recommended defaults. Everything else below is here for inspiration -- read the code, understand what it does, and tailor it to your workflow before using it.\n\n**Blocking patterns** (`PreToolUse`, in `settings.json`): The two hooks in this repo's `settings.json` block `rm -rf` (suggests `trash` instead) and direct push to main\u002Fmaster (requires feature branches). Both read the Bash command from stdin via `jq`, match with regex, and exit 2 with an error message that tells Claude what to do instead.\n\n**Audit logging** (`PostToolUse`): [`hooks\u002Flog-gam.sh`](hooks\u002Flog-gam.sh) shows how to build an audit trail for a CLI tool. This example tracks GAM (Google Apps Manager) commands -- it classifies each as read or write using verb pattern lists, skips reads, and logs mutations with timestamp, action, command, and exit status. The pattern generalizes: swap the verb lists for any CLI where you want to log mutations. Wire it up as a `PostToolUse` hook on `Bash`.\n\n**Bash command log** (`PostToolUse`): Appends every Bash command the agent runs to a log file with a timestamp. Useful for post-session review of what the agent actually did.\n\n```json\n{\n  \"PostToolUse\": [\n    {\n      \"matcher\": \"Bash\",\n      \"hooks\": [\n        {\n          \"type\": \"command\",\n          \"command\": \"jq -r '\\\"[\\\" + (now | todate) + \\\"] \\\" + .tool_input.command' >> ~\u002F.claude\u002Fbash-commands.log\"\n        }\n      ]\n    }\n  ]\n}\n```\n\n**Desktop notifications** (`Notification`): Fires a native OS notification when Claude needs your attention, so you can switch to other work during long autonomous runs instead of watching the terminal.\n\n```json\n{\n  \"Notification\": [\n    {\n      \"matcher\": \"\",\n      \"hooks\": [\n        {\n          \"type\": \"command\",\n          \"command\": \"osascript -e 'display notification \\\"Claude needs your attention\\\" with title \\\"Claude Code\\\"'\"\n        }\n      ]\n    }\n  ]\n}\n```\n\nOn Linux, replace the command with `notify-send 'Claude Code' 'Claude needs your attention'`.\n\n**Enforce package manager** (`PreToolUse`): [`hooks\u002Fenforce-package-manager.sh`](hooks\u002Fenforce-package-manager.sh) blocks `npm` commands in projects that use `pnpm` and tells Claude to use the right tool. Generalizes to any \"use X not Y\" convention.\n\n**Anti-rationalization gate** (`Stop`, prompt hook): Claude has a tendency to declare victory while leaving work undone. It rationalizes skipping things: \"these issues were pre-existing,\" \"fixing this is out of scope,\" \"I'll leave these for a follow-up.\" A prompt-based `Stop` hook catches this by asking a fast model to review Claude's final response for cop-outs before allowing it to stop.\n\n```json\n{\n  \"Stop\": [\n    {\n      \"hooks\": [\n        {\n          \"type\": \"prompt\",\n          \"prompt\": \"You are a JSON-only evaluator. You MUST respond with a single JSON object and NOTHING else. No markdown, no code fences, no explanation, no preamble. Just the raw JSON object.\\n\\nReview the assistant's final response. Reject if the assistant is rationalizing incomplete work: claiming issues are 'pre-existing' or 'out of scope', saying 'too many issues' to fix, deferring to unrequested 'follow-ups', listing problems without fixing them, or skipping test\u002Flint failures with excuses.\\n\\nIf any of those patterns apply, respond:\\n{\\\"ok\\\": false, \\\"reason\\\": \\\"You are rationalizing incomplete work. [specific issue]. Go back and finish.\\\"}\\n\\nOtherwise respond:\\n{\\\"ok\\\": true}\"\n        }\n      ]\n    }\n  ]\n}\n```\n\nThis uses `type: \"prompt\"` instead of `type: \"command\"` -- Claude Code sends the hook's prompt plus the assistant's response to a fast model (Haiku), which returns a yes\u002Fno judgment. If rejected, the `reason` is fed back to Claude as its next instruction, forcing it to continue.\n\n**Important:** The prompt must explicitly instruct the evaluator to respond with raw JSON only. Without this, Haiku wraps the JSON in markdown code fences or adds explanatory text, which fails JSON parsing and silently breaks the hook. Prompt hooks default to a 30-second timeout; adjust with the `timeout` field if needed.\n\n### Plugins and Skills\n\nClaude Code's capabilities come from plugins, which provide skills (reusable workflows), agents (specialized subagents), and commands (slash commands). Plugins are distributed through marketplaces.\n\n#### Trail of Bits marketplaces\n\nInstall the three Trail of Bits marketplaces:\n\n```bash\nclaude plugin marketplace add trailofbits\u002Fskills\nclaude plugin marketplace add trailofbits\u002Fskills-internal\nclaude plugin marketplace add trailofbits\u002Fskills-curated\n```\n\n| Repository | Description |\n|------------|-------------|\n| [trailofbits\u002Fskills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills) | Our public skills for security auditing, smart contract analysis, reverse engineering, code review, and development workflows. |\n| [trailofbits\u002Fskills-internal](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-internal) | Automated exploitation, fuzz harness generation, vulnerability-class-specific analysis, audit report writing in the Trail of Bits house style, engagement scoping, client deliverables, and proprietary workflows. Private to Trail of Bits. |\n| [trailofbits\u002Fskills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) | Third-party skills and external marketplaces we've vetted and approved for use. Every addition gets code review. |\n\nFor external marketplaces (Anthropic official, superpowers, compound-engineering, etc.), see [skills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) -- it maintains the approved list and install scripts.\n\n#### agent-browser skill\n\nThe `agent-browser` CLI (installed in [Prerequisites](#tools)) ships its own marketplace with a first-party skill that teaches Claude the snapshot\u002Fref workflow, command syntax, session management, authentication flows, video recording, and proxy support (~2,000 lines of reference material plus reusable shell templates). agent-browser is new enough that it's not in the model's pretraining data -- without this skill, Claude won't know the ref lifecycle or command API.\n\n```\n\u002Fplugin marketplace add vercel-labs\u002Fagent-browser\n\u002Fplugin install agent-browser@agent-browser\n```\n\n### MCP Servers\n\nEveryone at Trail of Bits should set up at least **Context7** and **Exa** as global MCP servers.\n\n| Server | What it does | Requirements |\n|--------|-------------|--------------|\n| Context7 | Up-to-date library documentation lookup | None (no API key) |\n| Exa | Web and code search (see [Web Browsing](#web-browsing)) | `EXA_API_KEY` env var (Trail of Bits employees: shared key in 1Password; external users: [get one here](https:\u002F\u002Fexa.ai)) |\n\n#### Setup\n\nMCP servers are configured in `.mcp.json` files. Claude Code merges configs from two locations:\n\n- **`~\u002F.mcp.json`** -- global servers available in every session\n- **`.mcp.json` in the project root** -- project-specific servers\n\nCopy `mcp-template.json` from this repo to `~\u002F.mcp.json` for global availability. Replace `your-exa-api-key-here` with your actual key, or remove the `exa` entry if you don't have one. Add project-specific MCP servers (e.g., a local database tool) to the project's `.mcp.json`.\n\n### Local Models\n\nUse [LM Studio](https:\u002F\u002Flmstudio.ai) to run local LLMs with Claude Code. LM Studio provides an Anthropic-compatible `\u002Fv1\u002Fmessages` endpoint, so Claude Code connects with just a base URL change. On macOS it uses MLX for Apple Silicon-native inference, which is significantly faster than GGUF.\n\n#### Recommended model: Qwen3-Coder-Next (as of February 2026)\n\n[Qwen3-Coder-Next](https:\u002F\u002Flmstudio.ai\u002Fmodels\u002Fqwen3-coder-next) is an 80B mixture-of-experts model with only 3B active parameters, designed specifically for agentic coding. It handles tool use, long-horizon reasoning, and recovery from execution failures. The MLX 4-bit quantization is ~45GB and needs at least 64GB unified memory to load with a usable context window. 96GB or more is comfortable.\n\nLocal models move fast. When this recommendation is stale, check the [LM Studio featured models page](https:\u002F\u002Flmstudio.ai\u002Fmodels) and pick the top coding model that fits in your memory as an MLX 4-bit quantization.\n\n#### Setup\n\nDownload, load, and serve -- all from the CLI:\n\n```bash\nlms get Qwen3-Coder-Next@MLX-4bit -y\nlms load qwen\u002Fqwen3-coder-next --context-length 32768 --gpu max -y\nlms server start\n```\n\n`--context-length 32768` allocates a 32K context window at load time. Claude Code is context-heavy, so don't go below 25K. Sampling parameters (temperature, top-p, etc.) don't need to be configured on the server -- Claude Code sends its own in each API request.\n\n#### Connecting\n\nPoint Claude Code at LM Studio by setting the base URL and an auth token (any string works for local servers):\n\n```bash\nANTHROPIC_BASE_URL=http:\u002F\u002Flocalhost:1234 \\\nANTHROPIC_AUTH_TOKEN=lmstudio \\\nclaude\n```\n\nOr use the `claude-local` shell function from [Shell Setup](#shell-setup) to avoid typing the env vars every time.\n\nIf `claude-local` fails with `The number of tokens to keep from the initial prompt is greater than the context length.` message, then try disabling auto-loaded tools (`--strict-mcp-config` first, then try also `--disable-slash-commands` and `--system-prompt \"You are a helpful coding assistant.\"`).\n\nIf `claude-local` fails with `request.thinking.type: Invalid discriminator value. Expected 'enabled' | 'disabled'\"` then add `--settings '{\"alwaysThinkingEnabled\": false}'` flag.\n\nFor the full list of environment variables (model overrides, subagent models, traffic controls, etc.), see the [model configuration docs](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fmodel-config).\n\n\n### Personalization\n\nYou can customize the spinner verbs that appear while Claude is working. Ask Claude: \"In my settings, make my spinner verbs Hackers themed\" — or Doom, or Star Trek, or anything else.\n\n# Usage\n\nRead Anthropic's [Best practices for Claude Code](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fbest-practices) before anything in this section. It's the single most important resource for getting good results. Everything below builds on it.\n\n## Continuous Improvement\n\nMost people's use of Claude Code plateaus early. You find a workflow that works, repeat it, and never discover what you're leaving on the table. The fix is a deliberate feedback loop: review what happened, adjust your setup, and let the next week benefit from what you learned.\n\nRun `\u002Finsights` once a week. It analyzes your recent sessions and surfaces patterns -- what's working, what's failing, where you're spending time. When it tells you something useful, act on it: add a rule to your CLAUDE.md, write a hook to block a mistake you keep making, extract a repeated workflow into a skill. Each adjustment compounds. After a few weeks your setup is meaningfully different from the defaults, tuned to how you actually work.\n\n## Project-level CLAUDE.md\n\nFor each project you work on, add a `CLAUDE.md` at the repo root with project-specific context. The [global CLAUDE.md](#global-claudemd) sets defaults; the project file layers on what's unique to this codebase. A good project CLAUDE.md includes architecture (directory tree, key abstractions), build and test commands (`make dev`, `make test`), codebase navigation patterns (ast-grep examples for your codebase), domain-specific APIs and gotchas, and testing conventions.\n\nFor an example of a well-structured project CLAUDE.md, see [crytic\u002Fslither's CLAUDE.md](https:\u002F\u002Fgithub.com\u002Fcrytic\u002Fslither\u002Fblob\u002Fmaster\u002FCLAUDE.md). It layers slither-specific context -- SlithIR internals, detector traversal patterns, type handling pitfalls -- on top of the same global standards from this repo.\n\n## Output Styles\n\nEnable the **Explanatory** [output style](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Foutput-styles) (`\u002Foutput-style explanatory` or `\"outputStyle\": \"Explanatory\"` in `settings.json`) when getting familiar with a new codebase. Claude explains frameworks and code patterns as it works, adding \"★ Insight\" blocks with reasoning and design choices alongside its normal output. Useful when auditing unfamiliar code, reviewing a language you don't write daily, or onboarding onto a client engagement. The tradeoff is context: longer responses mean earlier compaction. Switch back to the default when you want speed. You can also [create custom styles](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Foutput-styles) as markdown files in `~\u002F.claude\u002Foutput-styles\u002F`.\n\n## Context Management\n\nThe context window is finite and irreplaceable mid-session. Every file read, tool call, and conversation turn consumes it. When it fills up, Claude auto-compacts -- summarizing the conversation to free space. Auto-compaction works, but it's lossy: subtle decisions, error details, and the thread of reasoning degrade each time. The best strategy is to avoid needing it.\n\n### Keeping sessions clean\n\n**Scope work to one session.** Each feature, bug fix, or investigation should fit within a single context window. If a task is too large, break it into pieces and run each in a fresh session. This is the single most effective thing you can do for quality.\n\nA session that stays within its context budget produces better code than one that compacts three times to limp across the finish line. When you notice context running low (check the statusline -- green >50%, yellow >20%, red below), it's time to wrap up and start a new session, not push through.\n\n**Prefer `\u002Fclear` over `\u002Fcompact`.** `\u002Fclear` wipes the conversation and starts fresh. `\u002Fcompact` summarizes and continues. Default to `\u002Fclear` between tasks.\n\n`\u002Fcompact` is useful when you're mid-task and need to reclaim space without losing your place, but each compaction is a lossy compression -- details get dropped, and the model's understanding of your intent degrades slightly. Two compactions in a session is a sign the task was too large. `\u002Fclear` has no information loss because there's nothing to lose -- your CLAUDE.md reloads, git state is fresh, and the agent re-reads whatever files it needs. When you do use `\u002Fcompact`, pass focus instructions to steer the summary: `\u002Fcompact Focus on the auth refactor` preserves what matters and sheds the rest.\n\n**Cut your losses after two corrections.** If you've corrected Claude twice on the same issue and it's still wrong, don't keep pushing -- the context is polluted with failed approaches. Use checkpoints (`Esc Esc` or `\u002Frewind`) to roll back to before the first wrong attempt and try again with a better prompt. If the session is too far gone even for that, `\u002Fclear` and start fresh. A clean prompt that incorporates what you learned almost always outperforms a long session with accumulated corrections.\n\n### Tools for managing context\n\n**Checkpoints** (`Esc Esc` or `\u002Frewind`) restore code and conversation to any previous prompt in the session. They're your undo system -- use them aggressively. Try risky approaches knowing you can rewind if they don't work out.\n\nThe \"Summarize from here\" option in the rewind menu is a more surgical alternative to `\u002Fcompact`: instead of compressing everything, you keep early context intact and only summarize the part that's eating space (like a verbose debugging tangent). This preserves your initial instructions at full fidelity.\n\n**Offload research to subagents.** Subagents (Task tool, custom agents) each get their own context window. The main session only sees the subagent's summary, not its full working context.\n\nUse this deliberately: when a task requires reading a lot of documentation, exploring unfamiliar code, or doing research that would bloat your main session, delegate it to a subagent. The main session stays lean and focused on implementation while subagents handle the context-heavy exploration.\n\n**For complex features, interview first, implement second.** Have Claude interview you about the feature (requirements, edge cases, tradeoffs), then write a spec to a file. Start a fresh session to implement the spec.\n\n**Put stable context in CLAUDE.md, not the conversation.** Project architecture, coding standards, tool preferences, workflow conventions -- anything reusable goes in CLAUDE.md. It loads automatically every session and survives `\u002Fclear`.\n\nIf you need to pass context between sessions, commit your work, write a brief plan to a file, `\u002Fclear`, and start the next session by pointing Claude at that file. You can also resume previous sessions with `claude --continue` (picks up the last session) or `claude --resume` (lets you choose from recent sessions). But a fresh session with a written handoff is usually better than resuming a stale one -- the context is cleaner and the prompt cache is warm.\n\n## Web Browsing\n\nClaude Code has three ways to interact with the web.\n\n### Exa AI (MCP)\n\nSemantic web search that returns clean, LLM-optimized text. Unlike the built-in `WebSearch` tool (which returns search result links that Claude then has to fetch and parse), Exa returns the actual content pre-extracted and formatted for LLM consumption. This saves context window and produces more relevant results. Your CLAUDE.md can instruct Claude to prefer Exa over `WebSearch`.\n\n### agent-browser\n\nHeadless browser automation via CLI. Runs its own Chromium instance -- it does **not** share your Chrome profile, cookies, or login sessions. This means it can't access authenticated pages (Google Docs, internal dashboards, etc.) without logging in from scratch. What it excels at is context efficiency: the snapshot\u002Fref system (`@e1`, `@e2`) uses ~93% less context than sending full accessibility trees, so the agent can navigate complex multi-page workflows without exhausting its context window. Also supports video recording and parallel sessions.\n\n```bash\nagent-browser open \u003Curl>        # Navigate\nagent-browser snapshot -i       # Get element refs (@e1, @e2)\nagent-browser click @e1         # Click element\nagent-browser fill @e2 \"text\"   # Fill input\nagent-browser screenshot        # Capture screenshot\n```\n\nYou need to install the first-party skill for Claude to use agent-browser effectively -- see [agent-browser skill](#agent-browser-skill) in Configuration.\n\n### Claude in Chrome (MCP)\n\nBrowser automation via the [Claude in Chrome](https:\u002F\u002Fchromewebstore.google.com\u002Fdetail\u002Fclaude\u002Ffcoeoabgfenejglbffodgkkbkcdhcgfn) extension. Operates inside your actual Chrome browser, so it has access to your existing login sessions, cookies, and extensions. This is the only option that can interact with authenticated pages (Gmail, Google Docs, Jira, internal tools) without re-authenticating. The tradeoff is that it uses screenshots and accessibility trees for page understanding, which consumes more context than agent-browser's ref system.\n\n### When to use which\n\n| Need | Use |\n|------|-----|\n| Search the web for information | Exa |\n| Automate multi-step workflows on public pages | agent-browser |\n| Interact with authenticated\u002Finternal pages | Claude in Chrome |\n| Record a video of browser actions | agent-browser |\n| Inspect visual layout or take screenshots for analysis | Claude in Chrome |\n\n## Fast Mode\n\n`\u002Ffast` toggles fast mode. Same Opus 4.6 model, ~2.5x faster output, 6x the cost per token. Leave it off by default.\n\nThe only time fast mode is worth it is **tight interactive loops** -- you're debugging live, iterating on output, and every second of latency costs you focus. If you're about to kick off an autonomous run (`\u002Ffix-issue`, a swarm, anything you walk away from), turn it off first. The agent doesn't benefit from lower latency; you're just burning money.\n\nIf you do use it, enable it at session start. Toggling it on mid-conversation reprices your entire context at fast-mode rates and invalidates prompt cache. See the [fast mode docs](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Ffast-mode) for details.\n\n## Commands\n\nCustom slash commands are markdown files that define parameterized procedures. They take arguments, run a specific sequence of steps, and produce a result. These were extracted from manual workflows that kept showing up in `\u002Finsights` -- if you notice yourself repeating the same multi-step sequence, it's a good candidate for a command.\n\nOnce a workflow is a command, it's something an agent can run too. Wrap a shell script around `claude -p` with `xargs -P` to dispatch the same command across repos in parallel -- each gets its own headless session with a budget cap.\n\n```bash\nmkdir -p ~\u002F.claude\u002Fcommands\ncp commands\u002Freview-pr.md ~\u002F.claude\u002Fcommands\u002F\ncp commands\u002Ffix-issue.md ~\u002F.claude\u002Fcommands\u002F\ncp commands\u002Fmerge-dependabot.md ~\u002F.claude\u002Fcommands\u002F\n```\n\n### Review PR\n\n[`commands\u002Freview-pr.md`](commands\u002Freview-pr.md) -- Reviews a GitHub PR with parallel agents (pr-review-toolkit, Codex, Gemini), fixes findings, and pushes. Invoke with `\u002Freview-pr 456` where `456` is the PR number.\n\n### Fix Issue\n\n[`commands\u002Ffix-issue.md`](commands\u002Ffix-issue.md) -- Takes a GitHub issue and fully autonomously completes it -- researches, plans, implements, tests, creates a PR, self-reviews with parallel agents, fixes its own findings, and comments on the issue when done. Invoke with `\u002Ffix-issue 123` where `123` is the issue number.\n\n### Merge Dependabot\n\n[`commands\u002Fmerge-dependabot.md`](commands\u002Fmerge-dependabot.md) -- Evaluates and merges open dependabot PRs for a repo. Audits dependabot config, builds a transitive dependency map, batches overlapping PRs, evaluates each in parallel (build, test, matrix gap analysis), and merges passing PRs sequentially with post-merge re-testing. Invoke with `\u002Fmerge-dependabot trailofbits\u002Falgo`.\n\n## Writing Skills and Agents\n\nSkills and agents encode expertise rather than procedures. Where a command runs a specific sequence of steps, a skill teaches Claude *how to think* about a category of work, and an agent is a specialist you hand a job to. Read Anthropic's [skill authoring best practices](https:\u002F\u002Fplatform.claude.com\u002Fdocs\u002Fen\u002Fagents-and-tools\u002Fagent-skills\u002Fbest-practices) first for guidance on structure, descriptions, and progressive disclosure.\n\n**Skills** load instructions into the current session. They're conventions, checklists, and decision frameworks that shape how Claude approaches work -- not step-by-step scripts. **Agents** run in their own context window with a dedicated system prompt. Use an agent when the work benefits from a focused persona, would bloat the main session with context, needs a constrained tool set, or should run in parallel with other work.\n\n**Agent personas for security work.** A \"senior auditor who's triaged hundreds of reentrancy bugs\" approaches code differently than a \"fuzzing engineer thinking about coverage and crash triage.\" The system prompt shapes what the agent notices and prioritizes, not just what steps it follows. When you have deep expertise in a vulnerability class or analysis methodology, encode it as an agent persona, not just a skill checklist.\n\n**Tooling.** The `plugin-dev` plugin (from `claude-plugins-official`) has workflows for both. `\u002Fplugin-dev:skill-development` walks you through a 6-step process for skills. `\u002Fplugin-dev:agent-development` does the same for agents. For a full plugin with multiple components, use `\u002Fplugin-dev:create-plugin` to orchestrate the process.\n\n**Quality.** For security skills and agents, don't just describe the workflow. Bundle the reference material that makes it expert-level: analysis checklists, vulnerability patterns, example outputs, and the decision logic an experienced auditor would apply. Keep the SKILL.md lean (under 2,000 words) and move detailed content into `references\u002F` files.\n\n### Publishing skills\n\nWhere to publish depends on the audience:\n\n- **Public and open source** -- submit a PR to [trailofbits\u002Fskills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills).\n- **Internal to Trail of Bits** -- submit a PR to [trailofbits\u002Fskills-internal](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-internal).\n- **Third-party skill you want approved** -- submit a PR to [trailofbits\u002Fskills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) with attribution to the original source. Every PR gets code review.\n\n## Recommended Skills\n\nSkills come from plugins you install via the Trail of Bits marketplaces and third-party marketplaces. Here are the ones worth knowing about from each.\n\n### Trail of Bits ([trailofbits\u002Fskills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills))\n\nSecurity auditing, code analysis, and development workflows. Installed automatically with the Trail of Bits marketplace.\n\n| Skill | What it does | When to use it |\n|-------|-------------|----------------|\n| `ask-questions-if-underspecified` | Asks 1-5 targeted clarification questions before starting work | Any underspecified request -- prevents building the wrong thing |\n| `modern-python` | Configures projects with uv, ruff, ty, pytest, prek | New Python projects or migrating from pip\u002FPoetry\u002Fmypy\u002Fblack |\n| `audit-context-building` | Line-by-line code analysis using First Principles and 5 Whys methodology | Building deep understanding of unfamiliar code before an audit |\n| `differential-review` | Security-focused review of code changes with blast radius analysis | Reviewing PRs or commits where security impact matters |\n\n### Superpowers ([obra\u002Fsuperpowers](https:\u002F\u002Fgithub.com\u002Fobra\u002Fsuperpowers))\n\nWorkflow discipline -- enforces planning before coding, structured debugging, and verification before declaring victory. The skills chain together: brainstorm → plan → execute → verify.\n\n| Skill | What it does | When to use it |\n|-------|-------------|----------------|\n| `\u002Fsuperpowers:brainstorm` | Refines ideas through Socratic questioning before implementation | Starting any non-trivial feature -- catches unclear requirements early |\n| `\u002Fsuperpowers:systematic-debugging` | Structured 4-phase root cause analysis | Any bug where the cause isn't obvious -- prevents treating symptoms |\n\n### Anthropic Official ([anthropics\u002Fclaude-code\u002Fplugins](https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code\u002Ftree\u002Fmain\u002Fplugins))\n\nOfficial plugins maintained in the Claude Code repo. Install via the `claude-plugins-official` marketplace.\n\n| Skill | What it does | When to use it |\n|-------|-------------|----------------|\n| `frontend-design` | Auto-invoked on frontend tasks with guidance on bold design, typography, animations, and visual polish -- avoids generic AI aesthetics | Building web components, pages, or applications where visual quality matters |\n| `\u002Fpr-review-toolkit:review-pr` | Runs 6 specialized agents in parallel: comments, tests, error handling, type design, code quality, and code simplification | PR review -- run with `all` or pick specific aspects (`simplify`, `tests`, `errors`, etc.) |\n\nThe `code-simplifier` agent inside `pr-review-toolkit` can also be targeted individually with `\u002Fpr-review-toolkit:review-pr simplify` for a focused simplification pass.\n\n### Compound Engineering ([EveryInc\u002Fcompound-engineering-plugin](https:\u002F\u002Fgithub.com\u002FEveryInc\u002Fcompound-engineering-plugin))\n\nMulti-agent workflows for planning and review.\n\n| Skill | What it does | When to use it |\n|-------|-------------|----------------|\n| `\u002Fworkflows:plan` | Turns feature descriptions into implementation plans with parallel research agents | Starting a feature that touches multiple files or components |\n| `\u002Fworkflows:review` | Runs 15 specialized review agents in parallel (security, performance, architecture, style) | Before merging any significant PR -- catches what solo review misses |\n\n## Recommended MCP Servers\n\nBeyond the core Context7 and Exa servers (see [MCP Servers](#mcp-servers)), these are worth adding for specific workflows.\n\n| Server | What it does | Requirements |\n|--------|-------------|--------------|\n| [Granola](https:\u002F\u002Fgranola.ai) | Meeting notes and transcripts | Granola app with paid plan |\n| [slither-mcp](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fslither-mcp) | Slither static analysis for Solidity smart contracts -- vulnerability detection, call graphs, inheritance mapping, function metadata | Python 3.11+, Solidity compiler (Foundry\u002FHardhat) |\n| [pyghidra-mcp](https:\u002F\u002Fgithub.com\u002Fclearbluejar\u002Fpyghidra-mcp) | Headless Ghidra reverse engineering -- binary analysis, decompilation, cross-references, semantic search via embeddings | Ghidra (`GHIDRA_INSTALL_DIR` env var) |\n| [Serena](https:\u002F\u002Fgithub.com\u002Foraios\u002Fserena) | Symbol-level code navigation and editing across 30+ languages via LSP -- find symbols, references, and edit by symbol rather than line number | `uv`, language-specific LSP servers |\n","# Trail of Bits Claude Code 配置\n\nTrail of Bits 为 Claude Code 提供的约定默认值、文档和工作流。涵盖沙箱化、权限、钩子、技能、MCP 服务器，以及我们在安全审计、开发和研究中发现的有效使用模式。\n\n> 另请参阅：[skills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills) · [skills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) · [claude-code-devcontainer](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-devcontainer) · [dropkit](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fdropkit)\n\n**首次设置：**\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-config.git\ncd claude-code-config\nclaude\n```\n\n然后在会话内运行 `\u002Ftrailofbits:config`。它会引导你完成每个组件的安装，检测你已有的内容，并自动安装该命令，以便今后从任何目录都能正常运行。更新后再次运行 `\u002Ftrailofbits:config`。\n\n## 目录\n\n**[入门](#getting-started)**\n- [请先阅读](#read-these-first)\n- [先决条件](#prerequisites)\n- [Shell 设置](#shell-setup)\n- [设置](#settings)\n- [全局 CLAUDE.md](#global-claudemd)\n\n**[配置](#configuration)**\n- [沙箱化](#sandboxing)\n- [钩子](#hooks)\n- [插件和技能](#plugins-and-skills)\n- [MCP 服务器](#mcp-servers)\n- [本地模型](#local-models)\n- [个性化](#personalization)\n\n**[使用](#usage)**\n- [持续改进](#continuous-improvement)\n- [项目级 CLAUDE.md](#project-level-claudemd)\n- [上下文管理](#context-management)\n- [网页浏览](#web-browsing)\n- [快速模式](#fast-mode)\n- [命令](#commands)\n- [编写技能和代理](#writing-skills-and-agents)\n- [推荐技能](#recommended-skills)\n- [推荐 MCP 服务器](#recommended-mcp-servers)\n\n## 入门\n\n### 请先阅读\n\n在进行任何配置之前，请先阅读以下内容，以了解此设置为何如此设计：\n\n- [Claude Code 最佳实践](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fbest-practices) —— Anthropic 官方关于高效使用 Claude Code 的指南\n- [我如何利用 LLM 帮助我编写代码](https:\u002F\u002Fsimonwillison.net\u002F2025\u002FMar\u002F11\u002Fusing-llms-for-code\u002F) —— Simon Willison 关于实用 LLM 辅助编码技巧的分享\n- [面向无法仅靠直觉工作的团队的 AI 辅助编码](https:\u002F\u002Fblog.nilenso.com\u002Fblog\u002F2025\u002F05\u002F29\u002Fai-assisted-coding\u002F) —— Nilenso 针对高标准团队集成 AI 工具的行动手册\n- [我的那些对 AI 怀疑的朋友都疯了](https:\u002F\u002Ffly.io\u002Fblog\u002Fyoure-all-nuts\u002F) —— Thomas Ptacek 论为何否定 LLM 在编码中的作用是错误的\n- [Harness 工程](https:\u002F\u002Fopenai.com\u002Findex\u002Fharness-engineering\u002F) —— OpenAI 关于构建完全无需人工编写代码的产品的经验\n\n### 先决条件\n\n#### 终端：Ghostty\n\n请使用 [Ghostty](https:\u002F\u002Fghostty.org)。它是 Claude Code 的最佳终端，因为它采用原生 Metal GPU 渲染，能够流畅处理长时间 AI 会话产生的大量文本输出，而不会出现卡顿或内存膨胀（约 500MB 对比 VS Code 两个终端会话的约 8GB）。Shift+Enter 和快捷键开箱即用，无需额外的 `\u002Fterminal-setup` 配置；内置的分屏功能（Cmd+D \u002F Cmd+Shift+D）让你无需 tmux 即可同时运行 Claude Code 和开发服务器；并且在长时间自主运行时绝不会崩溃。\n\n```bash\nbrew install --cask ghostty\n```\n\n仅适用于 macOS。Linux 用户请参考 [Ghostty 安装文档](https:\u002F\u002Fghostty.org\u002Fdocs\u002Finstall\u002Fbinary#linux-(official))。目前尚不支持 Windows —— 请改用 WezTerm。\n\n#### 工具\n\n通过 Homebrew 安装核心工具：\n\n```bash\nbrew install jq ripgrep fd ast-grep shellcheck shfmt \\\n  actionlint zizmor macos-trash node@22 pnpm uv\n```\n\nPython 工具（通过 uv）：\n\n```bash\nuv tool install ruff\nuv tool install ty\nuv tool install pip-audit\n```\n\nRust 工具链：\n\n```bash\ncurl --proto '=https' --tlsv1.2 -sSf https:\u002F\u002Fsh.rustup.rs | sh\ncargo install prek worktrunk cargo-deny cargo-careful\n```\n\nNode 工具：\n\n```bash\nnpm install -g oxlint agent-browser\n```\n\nLM Studio（用于 [本地模型](#local-models)）：\n\n```bash\ncurl -fsSL https:\u002F\u002Flmstudio.ai\u002Finstall.sh | bash\n```\n\n这将安装 `lms`（CLI）和 `llmster`（无头守护进程）。或者，如果你更喜欢图形界面，也可以安装 [LM Studio 桌面应用](https:\u002F\u002Flmstudio.ai\u002Fdownload)。\n\n### Shell 设置\n\n在 `~\u002F.zshrc` 中添加：\n\n```bash\nalias claude-yolo=\"claude --dangerously-skip-permissions\"\n```\n\n`--dangerously-skip-permissions` 会跳过所有权限提示。这是为了获得最大吞吐量而推荐的运行方式——建议与下方的沙箱化结合使用。\n\n如果你正在使用 [本地模型](#local-models)，还需添加：\n\n```bash\nclaude-local() {\n  ANTHROPIC_BASE_URL=http:\u002F\u002Flocalhost:1234 \\\n  ANTHROPIC_AUTH_TOKEN=lmstudio \\\n  CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 \\\n  claude --model qwen\u002Fqwen3-coder-next \"$@\"\n}\n```\n\n`claude-local` 将 `claude` 包装起来，注入本地服务器的环境变量，并禁用那些无论如何都无法到达 Anthropic 的遥测请求。在通常运行 `claude` 的地方都可以使用它。\n\n### 设置\n\n将 `settings.json` 复制到 `~\u002F.claude\u002Fsettings.json`（或将其条目合并到您现有的文件中）。`$schema` 键可在支持 JSON Schema 的编辑器中启用自动补全和验证。模板包括：\n\n- **`env`（隐私）** -- 禁用三个非必要的出站流：Statsig 遥测（`DISABLE_TELEMETRY`）、Sentry 错误报告（`DISABLE_ERROR_REPORTING`）以及反馈调查（`CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY`）。请避免使用总括性的 `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC` -- 它还会禁用自动更新。\n- **`env`（代理团队）** -- `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS` 启用 [多代理团队](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fagent-teams)，其中单个会话可协调多个具有独立上下文窗口的队友。处于实验阶段，已知在会话恢复和任务协调方面存在局限性。\n- **`enableAllProjectMcpServers: false`** -- 这是默认设置，显式设定以防止被意外更改。项目 `.mcp.json` 文件存储在 Git 中，因此一旦仓库被攻陷，就可能推送恶意的 MCP 服务器。\n- **`alwaysThinkingEnabled: true`** -- 在会话之间持续启用 [扩展思考模式](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fcommon-workflows#use-extended-thinking-thinking-mode)。可通过 `Option+T` 按键逐会话切换。对于简单任务会增加延迟和成本；但对于复杂推理则值得开启。\n- **`permissions`** -- 拒绝规则，阻止读取凭据\u002F密钥及编辑 shell 配置文件（参见 [沙箱化](#sandboxing)）\n- **`cleanupPeriodDays: 365`** -- 将对话历史保留一年，而非默认的 30 天，以便 `\u002Finsights` 能有更多数据\n- **`hooks`** -- Bash 中的两个 `PreToolUse` 钩子，分别阻止 `rm -rf` 命令和直接推送到主分支（参见 [钩子](#hooks)）\n- **`statusLine`** -- 指向状态栏脚本（见下文）\n\n#### 状态栏\n\n终端底部的两行状态栏：\n\n```\n [Opus 4.6] 📁 claude-code-config │ 🌿 main\n ████⣿⣿⣿⣿⣿⣿⣿⣿ 28% │ $0.83 │ ⏱ 12m 34s ↻89%\n```\n\n第一行显示模型、当前目录和 Git 分支。第二行显示上下文使用情况的可视化条形图（颜色编码：绿色 \u003C50%，黄色 50-79%，红色 80% 及以上）、会话成本、已用时长以及提示缓存命中率。\n\n复制脚本：\n\n```bash\nmkdir -p ~\u002F.claude\ncp scripts\u002Fstatusline.sh ~\u002F.claude\u002Fstatusline.sh\nchmod +x ~\u002F.claude\u002Fstatusline.sh\n```\n\n`settings.json` 中的 `statusLine` 条目指向此脚本。需要安装 `jq`。\n\n### 全局 CLAUDE.md\n\n位于 `~\u002F.claude\u002FCLAUDE.md` 的全局文件为每个 Claude Code 会话设置了默认指令。它涵盖了开发哲学（不采用推测性功能、不进行过早抽象、替换而非弃用）、代码质量硬性限制（函数长度、复杂度、行宽）、针对 Python（`uv`、`ruff`、`ty`）、Node\u002FTypeScript（`oxlint`、`vitest`）、Rust（`clippy`、`cargo deny`）、Bash 和 GitHub Actions 的特定语言工具链，以及测试方法、代码审查顺序和工作流程规范（提交、钩子、PR）。\n\n将模板复制到位：\n\n```bash\ncp claude-md-template.md ~\u002F.claude\u002FCLAUDE.md\n```\n\n请根据个人偏好进行审查和自定义。该模板带有一定倾向性——请调整语言部分、工具选择及硬性限制，以匹配您的技术栈。有关 CLAUDE.md 文件的工作原理（层级结构、自动记忆、模块化规则、导入）的背景信息，请参阅 [管理 Claude 的记忆](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fmemory)。\n\n## 配置\n\n### 沙箱化\n\n在 Trail of Bits，我们以绕过权限检查的模式运行 Claude Code（`--dangerously-skip-permissions`）。这意味着您需要了解自己的沙箱选项——代理无需询问即可执行命令，因此沙箱才是防止其造成损害的关键。\n\n#### 内置沙箱（`\u002Fsandbox`）\n\nClaude Code 自带原生沙箱，利用操作系统级别的原语实现文件系统和网络隔离（macOS 上的 Seatbelt，Linux 上的 bubblewrap）。只需在会话中输入 `\u002Fsandbox` 即可启用。在自动允许模式下，所有未超出沙箱边界的 Bash 命令都会在无需权限提示的情况下执行。\n\n**默认行为：** 写操作仅限于当前工作目录及其子目录。读操作则不受限制——代理仍可读取 `~\u002F.ssh`、`~\u002F.aws` 等文件。网络访问仅限于明确允许的域名。\n\n**强化读取保护：** `settings.json` 模板包含用于阻止访问凭据和密钥的 `Read` 和 `Edit` 拒绝规则：\n\n- **SSH\u002FGPG 密钥** -- `~\u002F.ssh\u002F**`、`~\u002F.gnupg\u002F**`\n- **云凭据** -- `~\u002F.aws\u002F**`、`~\u002F.azure\u002F**`、`~\u002F.kube\u002F**`、`~\u002F.docker\u002Fconfig.json`\n- **包注册表令牌** -- `~\u002F.npmrc`、`~\u002F.npm\u002F**`、`~\u002F.pypirc`、`~\u002F.gem\u002Fcredentials`\n- **Git 凭据** -- `~\u002F.git-credentials`、`~\u002F.config\u002Fgh\u002F**`\n- **Shell 配置** -- `~\u002F.bashrc`、`~\u002F.zshrc`（禁止编辑，防止植入后门）\n- **macOS 钥匙串** -- `~\u002FLibrary\u002FKeychains\u002F**`\n- **加密钱包** -- MetaMask、Electrum、Exodus、Phantom、Solflare 等应用的数据\n\n如果没有启用 `\u002Fsandbox`，这些拒绝规则仅对 Claude 的内置工具生效——Bash 命令会绕过它们。而启用 `\u002Fsandbox` 后，相同的规则会在操作系统层面强制执行（Seatbelt\u002Fbubblewrap），因此 Bash 命令也会被阻止。建议两者结合使用。\n\n关于沙箱设计的详细理由，请参阅 Anthropic 的 [工程博客文章](https:\u002F\u002Fwww.anthropic.com\u002Fengineering\u002Fclaude-code-sandboxing)。完整的配置参考，请参阅 [沙箱文档](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fsandboxing)。\n\n#### 开发容器\n\n若需完全的读写隔离，可使用开发容器。代理将在仅挂载项目文件的容器中运行——它无法访问您的主机文件系统、SSH 密钥、云凭据或其他任何容器外的内容。\n\n- [trailofbits\u002Fclaude-code-devcontainer](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-devcontainer) -- 预配置的开发容器，集成 VS Code，预装 Claude Code，并配备常用开发工具。\n\n#### 远程 Droplet 实例\n\n若希望与本地机器彻底隔离，可将代理部署在一次性云实例上：\n\n- [trailofbits\u002Fdropkit](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fdropkit) -- 用于管理 DigitalOcean Droplet 的 CLI 工具，具备自动化设置、SSH 配置和 Tailscale VPN 功能。创建一个 Droplet，通过 SSH 登录，运行 Claude Code，完成后销毁实例。\n\n### 钩子\n\n钩子是会在 Claude Code 生命周期中的特定节点触发的 Shell 命令（或大语言模型提示）。它们提供了一种在模型通常不会暂停的决策点与之交互的方式。每个 `PreToolUse` 钩子都是一次机会，可以告诉模型“停下，先思考一下”或者“不要这样做，改用另一种方式”。每个 `PostToolUse` 钩子则是在模型完成操作后告知其“现在你已经完成了这件事，接下来你应该知道这些信息”。而每个 `Stop` 钩子则是提醒模型“你还未完成任务”。\n\n这种机制比仅靠系统提示更强大，因为钩子会在具体的、具有上下文意义的时刻触发。如果你在 CLAUDE.md 中写上“永远不要使用 `rm -rf`”，这条指令可能会被遗忘，或者因上下文压力而被覆盖。然而，一个阻止 `rm -rf` 的 `PreToolUse` 钩子则会在每次执行时立即触发，并在决策点直接显示错误信息。\n\n需要注意的是，钩子并不是安全边界——提示注入仍然可能绕过它们。实际上，钩子是一种**在恰当时机进行的结构化提示注入**：拦截工具调用、注入上下文、阻止已知的不良模式，并引导智能体的行为。它们更像是护栏，而非围墙。\n\n在实际应用中，你可以利用钩子来：\n- **阻止已知的不良模式**——例如 `rm -rf`、直接推送到主分支、使用错误的包管理器；\n- **添加自定义日志记录**——审计轨迹、Bash 命令日志、变更追踪；\n- **推动 Claude 继续工作**——通过一个 `Stop` 钩子检查 Claude 的最终响应，如果发现它在为未完成的工作找借口，就强制其继续；\n- **在决策点注入上下文**——如代码格式化后的检查结果、工具调用前的安全警告等。\n\n相关指南与示例：[使用钩子自动化工作流](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fhooks-guide)\n\n不想手动编写钩子？可以使用 [hookify 插件](https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-plugins-official\u002Ftree\u002Fmain\u002Fplugins\u002Fhookify)，它能将自然语言描述转换为钩子配置——例如 `\u002Fhookify 当我使用 rm -rf 命令时提醒我`。\n\n#### 钩子事件\n\n| 事件            | 触发时机                     | 是否可阻止？ |\n|-----------------|------------------------------|--------------|\n| `PreToolUse`    | 工具调用执行之前             | 是           |\n| `PostToolUse`   | 工具调用成功之后             | 否           |\n| `UserPromptSubmit` | 用户提交提示时             | 是           |\n| `Stop`          | Claude 完成响应时            | 是           |\n| `SessionStart`  | 会话开始或恢复时            | 否           |\n| `SubagentStart`\u002F`Stop` | 子智能体启动或结束时     | 启动：否，结束：是 |\n| `TaskCompleted` | 任务被标记为完成时          | 是           |\n| `TeammateIdle`  | 团队成员即将进入空闲状态时  | 是           |\n\n#### 退出码\n\n| 退出码 | 行为                           |\n|--------|--------------------------------|\n| 0      | 允许执行操作（标准输出会被解析为 JSON 控制指令） |\n| 1      | 非阻塞式错误（在详细模式下显示错误信息到标准错误流） |\n| 2      | 阻塞式错误（错误信息会回传给 Claude 作为错误消息） |\n\n#### 示例\n\n> **这些只是可供参考的模式，而非可以直接使用的配置。** 推荐的默认设置仅包括 `settings.json` 中的两个阻塞型钩子。以下内容仅供参考，请仔细阅读代码，理解其功能，并根据你的工作流程进行调整后再使用。\n\n**阻止不良模式**（`PreToolUse`，位于 `settings.json` 中）：此仓库的 `settings.json` 文件中包含两个钩子，分别用于阻止 `rm -rf` 命令（建议改用 `trash`）以及禁止直接推送至主分支（要求必须使用特性分支）。这两个钩子都会通过 `jq` 从标准输入读取 Bash 命令，使用正则表达式匹配，然后以退出码 2 返回错误信息，指导 Claude 应该采取何种替代方案。\n\n**审计日志记录**（`PostToolUse`）：[`hooks\u002Flog-gam.sh`](hooks\u002Flog-gam.sh) 展示了如何为 CLI 工具构建审计跟踪。这个示例针对 GAM（Google Apps Manager）命令，通过动词模式列表将其分类为读操作或写操作，跳过读操作，并记录每次变更的时间戳、操作类型、具体命令及退出状态。这一模式可以推广到任何需要记录变更的 CLI 工具，只需替换相应的动词列表即可。将其配置为 `Bash` 的 `PostToolUse` 钩子即可。\n\n**Bash 命令日志**（`PostToolUse`）：将代理执行的每条 Bash 命令连同时间戳追加到日志文件中。这对于会话结束后回顾代理的实际操作非常有用。\n\n```json\n{\n  \"PostToolUse\": [\n    {\n      \"matcher\": \"Bash\",\n      \"hooks\": [\n        {\n          \"type\": \"command\",\n          \"command\": \"jq -r '\\\"[\\\" + (now | todate) + \\\"] \\\" + .tool_input.command' >> ~\u002F.claude\u002Fbash-commands.log\"\n        }\n      ]\n    }\n  ]\n}\n```\n\n**桌面通知**（`Notification`）：当 Claude 需要你的注意时，会触发操作系统原生的通知，这样你就可以在长时间的自主运行期间切换到其他工作，而不必一直盯着终端。\n\n```json\n{\n  \"Notification\": [\n    {\n      \"matcher\": \"\",\n      \"hooks\": [\n        {\n          \"type\": \"command\",\n          \"command\": \"osascript -e 'display notification \\\"Claude 需要您的注意\\\" with title \\\"Claude Code\\\"'\"\n        }\n      ]\n    }\n  ]\n}\n```\n\n在 Linux 系统上，可以将命令替换为 `notify-send 'Claude Code' 'Claude 需要您的注意'`。\n\n**强制使用指定的包管理器**（`PreToolUse`）：[`hooks\u002Fenforce-package-manager.sh`](hooks\u002Fenforce-package-manager.sh) 会阻止在使用 `pnpm` 的项目中执行 `npm` 命令，并提示 Claude 使用正确的工具。这一方法同样适用于任何“必须使用 X 而非 Y”的约定。\n\n**反自我开脱关卡**（`Stop`，提示钩子）：Claude 有时会在工作尚未完成时就宣布胜利，并为自己找各种借口，比如“这些问题本来就有”、“修复这个超出了范围”、“留待后续处理”等。通过一个基于提示的 `Stop` 钩子，可以在允许 Claude 结束任务之前，让一个快速模型先审查其最终回复，判断是否存在类似的自我开脱行为。\n\n```json\n{\n  \"Stop\": [\n    {\n      \"hooks\": [\n        {\n          \"type\": \"prompt\",\n          \"prompt\": \"你是一名仅接受 JSON 输入的评估者。你必须仅以一个 JSON 对象作为回应，不得包含任何其他内容。禁止使用 Markdown、代码块、解释性文字或任何前言，只返回原始的 JSON 对象。\\n\\n请审查助手的最终回复。如果助手存在为未完成的工作找借口的行为——例如声称问题‘原本就存在’或‘超出范围’、以‘问题太多无法修复’为由推卸责任、未经请求地提出‘后续处理’、列出问题却不加以解决，或者用各种理由忽略测试或 linter 报错——则应返回：{\\\"ok\\\": false, \\\"reason\\\": \\\"您正在为未完成的工作找借口。[具体问题]。请返回并完成。\\\"}\\n\\n否则，请返回：{\\\"ok\\\": true}。\\n\\n\"\n        }\n      ]\n    }\n  ]\n}\n```\n\n这里使用了 `type: \"prompt\"` 而不是 `type: \"command\"`——Claude Code 会将钩子的提示加上助手的回复发送给一个快速模型（Haiku），后者会给出肯定或否定的判断。如果被拒绝，拒绝理由会被作为下一条指令回传给 Claude，从而强制其继续工作。\n\n**重要提示**：提示中必须明确指示评估者仅以原始 JSON 格式回应。否则，Haiku 可能会将 JSON 包装在 Markdown 代码块中，或添加解释性文字，这会导致 JSON 解析失败，进而使钩子失效。提示钩子的默认超时时间为 30 秒，如有需要，可以通过 `timeout` 字段进行调整。\n\n### 插件与技能\n\nClaude Code 的功能由插件提供，这些插件包括技能（可重用的工作流）、代理（专业子代理）和命令（斜杠命令）。插件通过市场分发。\n\n#### Trail of Bits 市场\n\n安装三个 Trail of Bits 市场：\n\n```bash\nclaude plugin marketplace add trailofbits\u002Fskills\nclaude plugin marketplace add trailofbits\u002Fskills-internal\nclaude plugin marketplace add trailofbits\u002Fskills-curated\n```\n\n| 仓库 | 描述 |\n|------------|-------------|\n| [trailofbits\u002Fskills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills) | 我们的公开技能，用于安全审计、智能合约分析、逆向工程、代码审查以及开发工作流。 |\n| [trailofbits\u002Fskills-internal](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-internal) | 自动化漏洞利用、模糊测试框架生成、特定类型漏洞分析、以 Trail of Bits 风格编写的审计报告、项目范围界定、客户交付物以及专有工作流。仅供 Trail of Bits 内部使用。 |\n| [trailofbits\u002Fskills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) | 经过我们审核并批准使用的第三方技能和外部市场。每次新增都会进行代码审查。 |\n\n对于外部市场（Anthropic 官方、superpowers、compound-engineering 等），请参阅 [skills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) —— 它维护着已批准的列表和安装脚本。\n\n#### agent-browser 技能\n\n`agent-browser` CLI（在[先决条件](#tools)中已安装）自带一个市场，其中包含一项第一方技能，该技能会教 Claude 快照\u002F引用的工作流、命令语法、会话管理、认证流程、视频录制以及代理支持等内容（约 2,000 行参考材料加上可重用的 Shell 模板）。由于 `agent-browser` 是较新的工具，尚未被纳入模型的预训练数据中——如果没有这项技能，Claude 将无法理解引用生命周期或命令 API。\n\n```\n\u002Fplugin marketplace add vercel-labs\u002Fagent-browser\n\u002Fplugin install agent-browser@agent-browser\n```\n\n### MCP 服务器\n\nTrail of Bits 的每位员工都应至少将 **Context7** 和 **Exa** 设置为全局 MCP 服务器。\n\n| 服务器 | 功能 | 要求 |\n|--------|-------------|--------------|\n| Context7 | 查找最新的库文档 | 无（无需 API 密钥） |\n| Exa | 网络与代码搜索（见[网络浏览](#web-browsing)） | 需要 `EXA_API_KEY` 环境变量（Trail of Bits 员工：共享密钥存储于 1Password；外部用户：[在此获取](https:\u002F\u002Fexa.ai)） |\n\n#### 设置\n\nMCP 服务器在 `.mcp.json` 文件中配置。Claude Code 会合并来自两个位置的配置：\n\n- **`~\u002F.mcp.json`** —— 在每个会话中都可用的全局服务器\n- **项目根目录下的 `.mcp.json`** —— 项目专用服务器\n\n将此仓库中的 `mcp-template.json` 复制到 `~\u002F.mcp.json` 中，以实现全局可用性。将 `your-exa-api-key-here` 替换为您的实际密钥，或者如果您没有密钥，则移除 `exa` 条目。将项目专用的 MCP 服务器（例如本地数据库工具）添加到项目的 `.mcp.json` 中。\n\n### 本地模型\n\n使用 [LM Studio](https:\u002F\u002Flmstudio.ai) 运行本地 LLM，并将其与 Claude Code 配合使用。LM Studio 提供与 Anthropic 兼容的 `\u002Fv1\u002Fmessages` 端点，因此 Claude Code 只需更改基础 URL 即可连接。在 macOS 上，它使用 MLX 实现 Apple Silicon 原生推理，速度显著快于 GGUF。\n\n#### 推荐模型：Qwen3-Coder-Next（截至 2026 年 2 月）\n\n[Qwen3-Coder-Next](https:\u002F\u002Flmstudio.ai\u002Fmodels\u002Fqwen3-coder-next) 是一款 80B 混合专家模型，仅激活 3B 参数，专为代理式编码设计。它可以处理工具调用、长时序推理以及从执行失败中恢复。MLX 4 位量化版本约为 45GB，需要至少 64GB 统一内存才能加载，并拥有可用的上下文窗口。96GB 或以上则更为舒适。\n\n本地模型更新迅速。当此推荐过时时，请查看 LM Studio 的[特色模型页面](https:\u002F\u002Flmstudio.ai\u002Fmodels)，选择适合您内存容量且采用 MLX 4 位量化的顶级编码模型。\n\n#### 设置\n\n下载、加载并启动服务——所有操作均可通过 CLI 完成：\n\n```bash\nlms get Qwen3-Coder-Next@MLX-4bit -y\nlms load qwen\u002Fqwen3-coder-next --context-length 32768 --gpu max -y\nlms server start\n```\n\n`--context-length 32768` 在加载时分配 32K 的上下文窗口。Claude Code 对上下文要求较高，因此不应低于 25K。采样参数（温度、top-p 等）无需在服务器上配置——Claude Code 会在每次 API 请求中自行发送。\n\n#### 连接\n\n通过设置基础 URL 和认证令牌（对于本地服务器，任何字符串均可），将 Claude Code 指向 LM Studio：\n\n```bash\nANTHROPIC_BASE_URL=http:\u002F\u002Flocalhost:1234 \\\nANTHROPIC_AUTH_TOKEN=lmstudio \\\nclaude\n```\n\n或者使用 [Shell 设置](#shell-setup) 中的 `claude-local` shell 函数，以避免每次都输入环境变量。\n\n如果 `claude-local` 出现错误信息“从初始提示中保留的标记数量大于上下文长度”，请尝试禁用自动加载的工具（先使用 `--strict-mcp-config`，再尝试同时使用 `--disable-slash-commands` 和 `--system-prompt \"You are a helpful coding assistant.\"`）。\n\n如果 `claude-local` 报错“request.thinking.type: 无效的判别值。预期 'enabled' | 'disabled'”，则添加 `--settings '{\"alwaysThinkingEnabled\": false}'` 标志。\n\n有关完整环境变量列表（模型覆盖、子代理模型、流量控制等），请参阅 [模型配置文档](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fmodel-config)。\n\n### 个性化\n\n您可以自定义 Claude 工作时显示的加载动画词汇。只需对 Claude 说：“在我的设置中，将加载动画词汇设为黑客主题”——也可以是 Doom、星际迷航或其他风格。\n\n# 使用方法\n\n在阅读本节内容之前，请先阅读 Anthropic 的《Claude Code 最佳实践》（https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Fbest-practices）。这是获得良好结果的最重要资源。以下内容均以此为基础。\n\n## 持续改进\n\n大多数人在使用 Claude Code 时很快就会陷入瓶颈。他们找到一种有效的工作流程并不断重复，却从未意识到自己还有多少潜力未被发掘。解决办法是建立一个刻意的反馈循环：回顾过去发生的事情，调整您的设置，让下一周受益于所学的经验。\n\n每周运行一次 `\u002Finsights`。它会分析您最近的会话并提炼出模式——哪些做法有效，哪些失败，您把时间花在了哪里。当它指出有用的信息时，请立即采取行动：在 CLAUDE.md 中添加一条规则，编写一个钩子来阻止您反复犯的错误，或将重复的工作流程提取为一项技能。每一次调整都会产生叠加效应。几周之后，您的设置将与默认设置大不相同，完全贴合您的实际工作方式。\n\n## 项目级 CLAUDE.md\n\n对于你参与的每个项目，在仓库根目录下添加一个 `CLAUDE.md` 文件，其中包含该项目特有的上下文信息。[全局 CLAUDE.md](#global-claudemd) 定义了默认设置；而项目级别的文件则在此基础上叠加该代码库的独特内容。一份优秀的项目 CLAUDE.md 应包括架构（目录结构、关键抽象）、构建与测试命令（`make dev`、`make test`）、代码库导航模式（针对你代码库的 ast-grep 示例）、领域特定的 API 和常见陷阱，以及测试规范。\n\n如需参考一个结构良好的项目 CLAUDE.md 示例，请查看 [crytic\u002Fslither 的 CLAUDE.md](https:\u002F\u002Fgithub.com\u002Fcrytic\u002Fslither\u002Fblob\u002Fmaster\u002FCLAUDE.md)。它在本仓库提供的通用标准之上，进一步叠加了 slither 特有的上下文——SlithIR 内部机制、检测器遍历模式、类型处理中的坑点等。\n\n## 输出样式\n\n当你熟悉一个新的代码库时，启用**解释型** [输出样式](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Foutput-styles)（通过 `\u002Foutput-style explanatory` 命令，或在 `settings.json` 中设置 `\"outputStyle\": \"Explanatory\"`）。Claude 在工作过程中会解释框架和代码模式，并在其正常输出旁添加“★ 洞察”区块，说明推理过程和设计选择。这在审计不熟悉的代码、审查非日常使用的编程语言，或刚加入客户项目时非常有用。不过，这种模式的权衡在于上下文：较长的响应会导致更早触发压缩。当你需要速度时，可以切换回默认样式。你也可以在 `~\u002F.claude\u002Foutput-styles\u002F` 目录下以 Markdown 文件的形式[创建自定义样式](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Foutput-styles)。\n\n## 上下文管理\n\n上下文窗口是有限且不可替代的，会在会话中被不断消耗。每次读取文件、调用工具或进行一次对话都会占用它。当上下文窗口满载时，Claude 会自动压缩对话——将对话摘要化以释放空间。自动压缩虽然有效，但会造成信息丢失：细微的决策、错误细节以及推理线索都会在每次压缩后逐渐退化。最好的策略就是尽量避免触发压缩。\n\n### 保持会话简洁\n\n**将工作限定在一个会话内。** 每个功能、Bug 修复或调查都应控制在单个上下文窗口之内。如果任务过于庞大，就将其拆分成若干部分，分别在新的会话中完成。这是提升质量最有效的方法。\n\n一个始终在上下文预算内的会话，其产出的代码质量远胜于那些经过三次压缩才勉强完成的会话。当你发现上下文即将耗尽时（可通过状态栏判断：绿色 >50%、黄色 >20%、红色低于 20%），就应该结束当前会话并开启新会话，而不是硬撑下去。\n\n**优先使用 `\u002Fclear` 而不是 `\u002Fcompact`。** `\u002Fclear` 会清空对话并重新开始，而 `\u002Fcompact` 则会总结对话并继续。建议在不同任务之间默认使用 `\u002Fclear`。\n\n`\u002Fcompact` 在你正在进行某项任务且需要回收空间而不丢失进度时很有用，但每次压缩都是一次有损压缩——细节会被丢弃，模型对你意图的理解也会略有下降。如果一个会话中进行了两次压缩，那就说明任务本身过大。而 `\u002Fclear` 不会造成任何信息损失，因为此时并无可失去的内容——你的 CLAUDE.md 会重新加载，Git 状态也会恢复到最新，代理也会重新读取所需文件。如果你确实需要使用 `\u002Fcompact`，可以通过传递重点指令来引导摘要内容，例如 `\u002Fcompact Focus on the auth refactor`，这样就能保留重要部分并舍弃其他内容。\n\n**两次修正后果断止损。** 如果你已经对同一个问题纠正了 Claude 两次，但它仍然出错，那就不要再继续尝试了——上下文已经被失败的思路污染了。这时可以使用检查点功能（`Esc Esc` 或 `\u002Frewind`）回滚到第一次错误操作之前，然后用更好的提示重新尝试。如果会话已经严重偏离轨道，无法通过检查点修复，那就直接使用 `\u002Fclear` 并从头开始。一个结合了先前经验的全新提示，通常比经过多次修正的冗长会话效果更好。\n\n### 管理上下文的工具\n\n**检查点**（`Esc Esc` 或 `\u002Frewind`）可以将代码和对话恢复到会话中任意之前的提示状态。它们相当于你的撤销系统，应积极使用。你可以大胆尝试各种方法，因为知道如果不成功还可以回退。\n\n在回溯菜单中，“从这里开始摘要”选项是比 `\u002Fcompact` 更为精细的选择：它不会压缩整个对话，而是保留早期的上下文，只对占用大量空间的部分（比如冗长的调试讨论）进行摘要。这样可以完整保留你的初始指令。\n\n**将研究任务交给子代理处理。** 子代理（Task 工具、自定义代理）各自拥有独立的上下文窗口。主会话只会看到子代理的摘要，而不会接触到其完整的内部工作上下文。\n\n请有意识地利用这一点：当任务需要阅读大量文档、探索陌生代码，或进行可能使主会话上下文膨胀的研究时，可以将其委派给子代理。这样主会话就能保持精简，专注于实现，而子代理则负责处理那些需要大量上下文的任务。\n\n**对于复杂功能，先访谈再实现。** 让 Claude 先与你讨论该功能的需求、边界情况和权衡，然后将规格写入文件。之后再开启一个新的会话来实现该规格。\n\n**将稳定不变的上下文放入 CLAUDE.md，而非对话中。** 项目架构、编码规范、工具偏好、工作流程约定等可复用的内容都应放在 CLAUDE.md 中。它会在每次会话中自动加载，并且在执行 `\u002Fclear` 后仍能保留。\n\n如果需要在不同会话之间传递上下文，可以先提交当前的工作成果，将简要计划写入文件，然后执行 `\u002Fclear`，并在下一个会话中让 Claude 查看该文件即可。你也可以通过 `claude --continue` 继续上一个会话，或使用 `claude --resume` 从最近的会话中选择继续。不过，相比恢复一个过时的会话，从头开始并辅以书面交接通常效果更好——这样上下文更加干净，提示缓存也更为温暖。\n\n## 网络浏览\n\nClaude Code 提供三种与网络交互的方式。\n\n### Exa AI (MCP)\n\n这是一种语义化的网页搜索工具，能够返回干净且专为大语言模型优化的文本。与内置的 `WebSearch` 工具不同（后者仅返回搜索结果链接，Claude 还需自行获取并解析这些链接），Exa 会直接提取并格式化内容，使其更适合大语言模型使用。这不仅节省了上下文窗口，还能带来更相关的结果。你可以在 CLAUDE.md 中指示 Claude 更倾向于使用 Exa 而不是 `WebSearch`。\n\n### agent-browser\n\n通过命令行实现无头浏览器自动化。它会运行自己的 Chromium 实例——**不会**共享您的 Chrome 配置文件、Cookie 或登录会话。这意味着，如果没有从头开始登录，它无法访问已认证的页面（如 Google 文档、内部仪表板等）。它的优势在于上下文效率：快照\u002F引用系统（`@e1`、`@e2`）使用的上下文比发送完整的无障碍树少约 93%，因此该代理可以在不耗尽上下文窗口的情况下导航复杂的多页工作流。此外，还支持视频录制和并行会话。\n\n```bash\nagent-browser open \u003Curl>        # 导航\nagent-browser snapshot -i       # 获取元素引用（@e1、@e2）\nagent-browser click @e1         # 点击元素\nagent-browser fill @e2 \"text\"   # 填充输入框\nagent-browser screenshot        # 截取屏幕截图\n```\n\n您需要安装第一方技能，才能让 Claude 有效使用 agent-browser——请参阅配置部分中的 [agent-browser 技能](#agent-browser-skill)。\n\n### Claude in Chrome (MCP)\n\n通过 [Claude in Chrome](https:\u002F\u002Fchromewebstore.google.com\u002Fdetail\u002Fclaude\u002Ffcoeoabgfenejglbffodgkkbkcdhcgfn) 扩展程序实现浏览器自动化。它运行在您实际的 Chrome 浏览器中，因此可以访问您现有的登录会话、Cookie 和扩展程序。这是唯一一种无需重新认证即可与已认证页面（Gmail、Google 文档、Jira、内部工具）交互的选项。其代价是，它使用屏幕截图和无障碍树来理解页面内容，这会消耗比 agent-browser 的引用系统更多的上下文。\n\n### 何时使用哪种工具\n\n| 需求 | 使用 |\n|------|-----|\n| 在网上搜索信息 | Exa |\n| 自动化公共页面上的多步骤工作流 | agent-browser |\n| 与已认证\u002F内部页面交互 | Claude in Chrome |\n| 录制浏览器操作视频 | agent-browser |\n| 检查视觉布局或截取屏幕截图以进行分析 | Claude in Chrome |\n\n## 快速模式\n\n`\u002Ffast` 可切换快速模式。使用相同的 Opus 4.6 模型，输出速度提升约 2.5 倍，但每 token 的成本增加 6 倍。默认情况下应保持关闭状态。\n\n只有在**紧密的交互式循环**中，快速模式才值得开启——例如您正在实时调试、迭代输出结果，而每一秒的延迟都会让您分心。如果您即将启动一项自主运行任务（如 `\u002Ffix-issue`、群集任务或任何您无法持续监控的任务），请先将其关闭。代理本身并不会受益于更低的延迟；您只是在浪费资金。\n\n如果确实要使用快速模式，请在会话开始时启用。在对话中途切换会导致整个上下文按快速模式费率重新计价，并使提示缓存失效。有关详细信息，请参阅[快速模式文档](https:\u002F\u002Fcode.claude.com\u002Fdocs\u002Fen\u002Ffast-mode)。\n\n## 命令\n\n自定义斜杠命令是定义参数化流程的 Markdown 文件。它们接受参数，执行特定的步骤序列，并产生结果。这些命令是从经常出现在 `\u002Finsights` 中的手动工作流中提取出来的——如果您发现自己反复执行相同的多步骤序列，那么它就很适合作为一个命令。\n\n一旦某个工作流被定义为命令，代理也可以执行它。您可以将 `claude -p` 包装在一个 shell 脚本中，并使用 `xargs -P` 来并行地在多个代码库中分发同一命令——每个命令都会获得一个带有预算上限的独立无头会话。\n\n```bash\nmkdir -p ~\u002F.claude\u002Fcommands\ncp commands\u002Freview-pr.md ~\u002F.claude\u002Fcommands\u002F\ncp commands\u002Ffix-issue.md ~\u002F.claude\u002Fcommands\u002F\ncp commands\u002Fmerge-dependabot.md ~\u002F.claude\u002Fcommands\u002F\n```\n\n### 审核 PR\n\n[`commands\u002Freview-pr.md`](commands\u002Freview-pr.md)——使用并行代理（pr-review-toolkit、Codex、Gemini）审核 GitHub PR，修复发现的问题并推送更改。调用方式为 `\u002Freview-pr 456`，其中 `456` 是 PR 编号。\n\n### 修复问题\n\n[`commands\u002Ffix-issue.md`](commands\u002Ffix-issue.md)——接收一个 GitHub 问题并完全自主地完成它：研究、规划、实施、测试、创建 PR、与并行代理进行自我评审、修复自身发现的问题，并在完成后在问题中留言。调用方式为 `\u002Ffix-issue 123`，其中 `123` 是问题编号。\n\n### 合并 Dependabot\n\n[`commands\u002Fmerge-dependabot.md`](commands\u002Fmerge-dependabot.md)——评估并合并仓库中未合并的 Dependabot PR。审计 Dependabot 配置，构建传递依赖图，将重叠的 PR 分批处理，在并行环境中评估每一批（构建、测试、矩阵差距分析），然后按顺序合并通过的 PR，并在合并后再次进行测试。调用方式为 `\u002Fmerge-dependabot trailofbits\u002Falgo`。\n\n## 编写技能与代理\n\n技能和代理编码的是专业知识，而非具体流程。命令会执行特定的步骤序列，而技能则教会 Claude 如何思考某一类工作，代理则是您交给其执行任务的专业人员。在设计结构、描述和逐步披露方面，请先阅读 Anthropic 的[技能编写最佳实践](https:\u002F\u002Fplatform.claude.com\u002Fdocs\u002Fen\u002Fagents-and-tools\u002Fagent-skills\u002Fbest-practices)。\n\n**技能**会将指令加载到当前会话中。它们是规范、检查清单和决策框架，用于塑造 Claude 处理工作的方式——而不是一步一步的脚本。**代理**则在自己的上下文窗口中运行，并拥有专门的系统提示。当工作受益于专注的角色定位、会话上下文过于臃肿、需要受限的工具集，或者应该与其他工作并行运行时，就应使用代理。\n\n**安全工作的代理角色。**“曾对数百个可重入漏洞进行分类的高级审计员”与“考虑覆盖率和崩溃分类的模糊测试工程师”的代码审查方式截然不同。系统提示不仅决定了代理遵循哪些步骤，还影响了它会注意到什么以及优先处理哪些内容。如果您在某一类漏洞或分析方法上拥有深厚的专业知识，那就将其编码为代理角色，而不仅仅是技能检查清单。\n\n**工具。**来自 `claude-plugins-official` 的 `plugin-dev` 插件提供了相应的流程。`\u002Fplugin-dev:skill-development` 引导您完成技能开发的 6 步流程。`\u002Fplugin-dev:agent-development` 则针对代理开发提供相同的支持。对于包含多个组件的完整插件，可以使用 `\u002Fplugin-dev:create-plugin` 来统筹整个流程。\n\n**质量。**对于安全相关的技能和代理，不要仅仅描述工作流程。应将使其达到专家水平的参考资料一并打包：分析检查清单、漏洞模式、示例输出以及经验丰富的审计员会采用的决策逻辑。保持 SKILL.md 简洁（不超过 2,000 字），并将详细内容移至 `references\u002F` 文件中。\n\n### 发布技能\n\n发布位置取决于目标受众：\n\n- **面向公众和开源社区**——向 [trailofbits\u002Fskills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills) 提交 PR。\n- **仅限 Trail of Bits 内部使用**——向 [trailofbits\u002Fskills-internal](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-internal) 提交 PR。\n- **希望获得批准的第三方技能**——向 [trailofbits\u002Fskills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) 提交 PR，并注明原始来源。所有 PR 都将经过代码审查。\n\n## 推荐技能\n\n技能来自您通过 Trail of Bits 市场和其他第三方市场安装的插件。以下是每个市场中值得关注的技能。\n\n### Trail of Bits ([trailofbits\u002Fskills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills))\n\n用于安全审计、代码分析和开发工作流。随 Trail of Bits 市场自动安装。\n\n| 技能 | 作用 | 使用场景 |\n|-------|-------------|----------------|\n| `ask-questions-if-underspecified` | 在开始工作前提出1–5个有针对性的澄清问题 | 任何描述不明确的需求——防止构建错误的内容 |\n| `modern-python` | 使用 uv、ruff、ty、pytest、prek 配置项目 | 新的 Python 项目，或从 pip\u002FPoetry\u002Fmypy\u002Fblack 迁移时 |\n| `audit-context-building` | 使用第一性原理和“五个为什么”方法逐行分析代码 | 在进行审计前深入理解不熟悉的代码 |\n| `differential-review` | 以安全性为中心的代码变更评审，并进行影响范围分析 | 审查对安全性有重要影响的 PR 或提交 |\n\n### Superpowers ([obra\u002Fsuperpowers](https:\u002F\u002Fgithub.com\u002Fobra\u002Fsuperpowers))\n\n强调工作流纪律——在编码前强制规划、结构化调试，并在宣布完成前进行验证。这些技能环环相扣：头脑风暴 → 计划 → 执行 → 验证。\n\n| 技能 | 作用 | 使用场景 |\n|-------|-------------|----------------|\n| `\u002Fsuperpowers:brainstorm` | 通过苏格拉底式提问完善想法后再实施 | 开始任何非 trivial 功能时——及早发现需求不明确的问题 |\n| `\u002Fsuperpowers:systematic-debugging` | 结构化的四阶段根本原因分析 | 任何难以确定原因的 bug——防止只治标不治本 |\n\n### Anthropic 官方 ([anthropics\u002Fclaude-code\u002Fplugins](https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code\u002Ftree\u002Fmain\u002Fplugins))\n\n由 Claude Code 仓库维护的官方插件。可通过 `claude-plugins-official` 市场安装。\n\n| 技能 | 作用 | 使用场景 |\n|-------|-------------|----------------|\n| `frontend-design` | 在前端任务中自动调用，提供大胆设计、排版、动画和视觉润色方面的指导——避免千篇一律的 AI 风格 | 构建对视觉质量要求较高的 Web 组件、页面或应用时 |\n| `\u002Fpr-review-toolkit:review-pr` | 并行运行6个专业代理：评论、测试、错误处理、类型设计、代码质量和代码简化 | PR 审查——可选择全部功能，也可单独挑选特定方面（如简化、测试、错误等）|\n\n`pr-review-toolkit` 中的 `code-simplifier` 代理也可以单独使用，只需调用 `\u002Fpr-review-toolkit:review-pr simplify` 即可进行专注的代码简化。\n\n### Compound Engineering ([EveryInc\u002Fcompound-engineering-plugin](https:\u002F\u002Fgithub.com\u002FEveryInc\u002Fcompound-engineering-plugin))\n\n用于规划和评审的多代理工作流。\n\n| 技能 | 作用 | 使用场景 |\n|-------|-------------|----------------|\n| `\u002Fworkflows:plan` | 将功能描述转化为包含并行研究代理的实现计划 | 开始涉及多个文件或组件的功能时 |\n| `\u002Fworkflows:review` | 并行运行15个专业评审代理（安全、性能、架构、风格等） | 在合并任何重要 PR 之前——能够发现单人评审遗漏的问题 |\n\n## 推荐的 MCP 服务器\n\n除了核心的 Context7 和 Exa 服务器（参见 [MCP 服务器](#mcp-servers)）之外，以下服务器也值得为特定工作流添加。\n\n| 服务器 | 作用 | 要求 |\n|--------|-------------|--------------|\n| [Granola](https:\u002F\u002Fgranola.ai) | 会议记录和转录 | 需要 Granola 应用程序的付费套餐 |\n| [slither-mcp](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fslither-mcp) | Slither 静态分析工具，用于 Solidity 智能合约——检测漏洞、生成调用图、映射继承关系、提取函数元数据 | Python 3.11+，Solidity 编译器（Foundry\u002FHardhat） |\n| [pyghidra-mcp](https:\u002F\u002Fgithub.com\u002Fclearbluejar\u002Fpyghidra-mcp) | 无头 Ghidra 反汇编工具——二进制分析、反编译、交叉引用以及基于嵌入向量的语义搜索 | 需要 Ghidra（设置 `GHIDRA_INSTALL_DIR` 环境变量） |\n| [Serena](https:\u002F\u002Fgithub.com\u002Foraios\u002Fserena) | 通过 LSP 实现跨30多种语言的符号级代码导航与编辑——按符号而非行号查找符号、引用并进行编辑 | 需要 `uv` 和特定语言的 LSP 服务器 |","# Claude Code Config 快速上手指南\n\n本指南基于 Trail of Bits 的最佳实践，帮助中国开发者快速配置安全、高效的 Claude Code 开发环境。\n\n## 环境准备\n\n### 系统要求\n- **推荐系统**：macOS（首选）或 Linux\n- **终端模拟器**：强烈推荐使用 [Ghostty](https:\u002F\u002Fghostty.org)，因其原生 GPU 渲染能高效处理 AI 长文本输出，且支持原生分屏。\n  - macOS 安装：`brew install --cask ghostty`\n  - Linux 用户请参考官方文档，Windows 用户可暂用 WezTerm。\n- **注意**：本配置主要针对类 Unix 系统设计。\n\n### 前置依赖\n请确保已安装以下核心工具链。国内用户若遇到 Homebrew 或网络下载缓慢，建议配置相应镜像源或使用代理。\n\n**1. 基础工具 (Homebrew)**\n```bash\nbrew install jq ripgrep fd ast-grep shellcheck shfmt \\\n  actionlint zizmor macos-trash node@22 pnpm uv\n```\n\n**2. Python 工具链 (via uv)**\n```bash\nuv tool install ruff\nuv tool install ty\nuv tool install pip-audit\n```\n\n**3. Rust 工具链**\n```bash\ncurl --proto '=https' --tlsv1.2 -sSf https:\u002F\u002Fsh.rustup.rs | sh\ncargo install prek worktrunk cargo-deny cargo-careful\n```\n\n**4. Node.js 工具**\n```bash\nnpm install -g oxlint agent-browser\n```\n\n**5. 本地模型支持 (可选)**\n如需运行本地模型，请安装 LM Studio：\n```bash\ncurl -fsSL https:\u002F\u002Flmstudio.ai\u002Finstall.sh | bash\n```\n\n## 安装步骤\n\n### 1. 克隆配置仓库\n获取官方配置文件并进入目录：\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-config.git\ncd claude-code-config\n```\n\n### 2. 初始化配置\n启动 Claude Code 并运行内置的配置命令。该命令会自动检测已安装的组件，引导你完成安装，并将相关命令注册到全局，以便在任何目录下使用。\n\n```bash\nclaude\n```\n\n在弹出的会话窗口中输入以下命令：\n```text\n\u002Ftrailofbits:config\n```\n*注：后续若配置更新，再次运行此命令即可同步。*\n\n### 3. 配置 Shell 别名与本地模型\n编辑你的 `~\u002F.zshrc` (或 `~\u002F.bashrc`) 文件，添加以下内容以优化体验：\n\n**启用免权限确认模式（需配合沙箱使用）：**\n```bash\nalias claude-yolo=\"claude --dangerously-skip-permissions\"\n```\n\n**配置本地模型调用（如使用 LM Studio）：**\n```bash\nclaude-local() {\n  ANTHROPIC_BASE_URL=http:\u002F\u002Flocalhost:1234 \\\n  ANTHROPIC_AUTH_TOKEN=lmstudio \\\n  CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 \\\n  claude --model qwen\u002Fqwen3-coder-next \"$@\"\n}\n```\n保存后执行 `source ~\u002F.zshrc` 生效。\n\n### 4. 部署全局设置与规范\n将推荐的配置文件复制到用户目录，以启用安全策略、状态栏显示及编码规范。\n\n**复制设置文件：**\n```bash\ncp settings.json ~\u002F.claude\u002Fsettings.json\n```\n*说明：此文件包含隐私保护（禁用遥测）、沙箱规则、钩子（Hooks）及 MCP 服务器配置。*\n\n**复制状态栏脚本：**\n```bash\nmkdir -p ~\u002F.claude\ncp scripts\u002Fstatusline.sh ~\u002F.claude\u002Fstatusline.sh\nchmod +x ~\u002F.claude\u002Fstatusline.sh\n```\n\n**复制全局编码规范 (CLAUDE.md)：**\n```bash\ncp claude-md-template.md ~\u002F.claude\u002FCLAUDE.md\n```\n*建议：打开 `~\u002F.claude\u002FCLAUDE.md` 根据你的技术栈（如 Python\u002FNode\u002FRust 偏好）进行微调。*\n\n## 基本使用\n\n### 启动会话\n在任意项目目录下，直接使用以下命令启动增强版的 Claude Code：\n\n```bash\nclaude\n```\n或者使用配置的免确认模式（推荐配合沙箱）：\n```bash\nclaude-yolo\n```\n\n### 启用沙箱模式（关键安全步骤）\n由于使用了 `--dangerously-skip-permissions`，务必在会话中启用沙箱以限制文件系统访问权限，防止意外修改系统文件。\n\n在 Claude Code 会话中输入：\n```text\n\u002Fsandbox\n```\n*效果：此时 AI 执行的命令将被限制在当前项目目录内，且无法读取 `~\u002F.ssh`、`~\u002F.aws` 等敏感凭证。*\n\n### 查看状态\n配置完成后，终端底部将显示两行状态栏，包含当前模型、Git 分支、上下文使用率、会话成本及缓存命中率等信息，帮助你实时监控资源消耗。\n\n### 本地模型测试\n如果你配置了本地模型，可通过以下命令测试：\n```bash\nclaude-local\n```","某安全审计团队正在对一家金融科技公司的核心交易系统进行代码漏洞扫描与修复，需要在极短时间内处理海量遗留代码并保证零误报。\n\n### 没有 claude-code-config 时\n- **环境配置耗时且不一致**：每位工程师需手动安装 Ghostty、ripgrep、ruff 等数十种依赖工具，不同成员的本地环境差异导致 AI 生成的命令经常执行失败。\n- **沙箱与安全策略缺失**：Claude Code 默认缺乏严格的沙箱限制，在审计敏感金融代码时，存在意外修改生产配置或泄露数据的风险。\n- **上下文管理混乱**：面对百万行代码库，AI 常因缺乏预定义的“技能（Skills）”和全局规则而迷失方向，输出泛泛而谈的建议而非具体修复方案。\n- **工作流断裂**：缺少预设的 Hooks 和 MCP 服务器连接，人工需要在终端、浏览器和文档间频繁切换以验证漏洞，严重拖慢审计节奏。\n\n### 使用 claude-code-config 后\n- **一键标准化环境**：运行 `\u002Ftrailofbits:config` 即可自动检测并安装所有必备工具（如 Ghostty 终端优化、uv Python 链），确保全团队环境高度一致，开箱即用。\n- **内置企业级安全沙箱**：自动应用 Trail of Bits 经过实战验证的沙箱策略和权限控制，确保 AI 在隔离环境中操作，杜绝了高危误操作风险。\n- **精准的场景化智能**：加载预置的安全审计\"Skills\"和全局 `CLAUDE.md`，AI 能立即理解金融代码规范，直接输出符合行业标准的漏洞修复补丁。\n- **自动化闭环工作流**：通过集成的 Hooks 和 MCP 服务器，AI 可自主调用本地模型验证修复效果并更新文档，实现从发现到修复的全自动流转。\n\nclaude-code-config 将原本需要数天搭建的专业 AI 审计环境压缩为分钟级部署，让安全团队能专注于高价值的漏洞分析而非工具调试。","https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Ftrailofbits_claude-code-config_033a3f88.png","trailofbits","Trail of Bits","https:\u002F\u002Foss.gittoolsai.com\u002Favatars\u002Ftrailofbits_ff7161a4.png","More code: binary lifters @lifting-bits, blockchain @crytic, forks @trail-of-forks ",null,"opensource@trailofbits.com","https:\u002F\u002Fwww.trailofbits.com","https:\u002F\u002Fgithub.com\u002Ftrailofbits",[84],{"name":85,"color":86,"percentage":87},"Shell","#89e051",100,1817,138,"2026-04-11T17:13:57",4,"macOS, Linux","未说明（终端工具 Ghostty 在 macOS 上使用原生 Metal GPU 渲染以优化文本输出，非 AI 模型推理需求）","未说明（提及 Ghostty 终端内存占用约 500MB，远低于 VS Code）",{"notes":96,"python":97,"dependencies":98},"该工具是 Claude Code 的配置集合而非独立 AI 模型。主要依赖官方 'claude' CLI 工具。推荐使用 Ghostty 终端（macOS 首选，Linux 可用，Windows 暂不支持建议用 WezTerm）。需安装 Homebrew (macOS) 或对应包管理器来安装核心工具链。支持通过 LM Studio 运行本地模型。安全方面建议在沙盒模式或 devcontainer 中运行，并配置了特定的权限拒绝规则以保护敏感文件。","未说明（通过 uv 管理 Python 工具，示例中安装了 ruff, ty, pip-audit）",[99,100,101,102,103,104,105,106,107,108],"claude-code (CLI)","jq","ripgrep","fd","ast-grep","shellcheck","shfmt","actionlint","zizmor","node@22",[13],[111,112,113,114],"claude","claude-code","claude-code-cli","developer-tool","2026-03-27T02:49:30.150509","2026-04-12T07:50:44.329509",[],[]]